TL;DR — A stored cross-site scripting vulnerability (CVE-2026-8883) in the “Global Body Mass Index Calculator” WordPress plugin (versions ≤ 1.2) allows an authenticated Contributor account to save malicious scripts that execute later in the browser of administrators or other users who view the stored content. Rated medium-ish (CVSS 6.5) but requiring contributor access and a privileged user to view the content, this bug can nonetheless be chained with other issues to produce serious compromise. Immediate mitigations are required: identify the plugin, remove or disable it if you cannot patch, restrict contributor privileges, search & clean stored content, and apply temporary server-side protections until a secure fix is deployed.

为什么这很重要（通俗语言）

Stored XSS means malicious code is saved on your site and later served to other users. In this case:

• An account with Contributor privileges can submit input containing JavaScript or HTML payloads.
• The payload is stored in the database and later rendered in pages or admin screens viewed by higher‑privileged users (Editors, Administrators).
• When viewed, the browser executes the malicious script in the context of your site — enabling session theft, UI manipulation, privileged actions, or delivery of secondary payloads.

This vulnerability requires an authenticated Contributor (or similar capability) and typically an admin view to trigger. That requirement reduces remote risk but does not make the issue harmless — stored XSS persists and can be executed repeatedly against many targets.

快速事实表

• Affected plugin: Global Body Mass Index Calculator
• 受影响的版本：≤ 1.2
• 漏洞类别：存储型跨站脚本 (XSS)
• 所需权限：贡献者（已认证）
• CVE: CVE-2026-8883
• Severity / score: CVSS 6.5 (medium-ish)
• Patch status: No official patch available at time of disclosure
• 披露日期：2026年6月8日
• Research credited to: security researcher (publicly credited)

Risk assessment — what an attacker can do

Even though exploitation requires an authenticated Contributor, impacts include:

• Execution of arbitrary JavaScript in administrator browsers, allowing actions performed via the admin session (create users, change settings, inject content).
• Delivery of secondary payloads: webshells, miners, redirector scripts or persistent backdoors.
• Pivoting to other internal resources accessible from an admin browser.
• Automated abuse on sites that allow open registration or have many contributors, enabling mass exploitation.

立即缓解检查清单

1. Identify installation:

   Go to Dashboard → Plugins → Installed Plugins and check for “Global Body Mass Index Calculator”. If installed and version ≤ 1.2, treat the plugin as vulnerable.

2. Deactivate if you cannot patch:

   Deactivating removes the attack surface until an official fixed version is released. If the plugin is essential, use the temporary mitigations below.

3. Restrict contributor-like capabilities:

   Suspend or remove untrusted contributor accounts. Audit accounts with capabilities such as edit_posts and consider granting a more restricted custom role for untrusted users.

4. 扫描可疑内容：

   Search posts, comments, form entries and plugin-managed content for

   查看我的订单

   0

   小计

   税费和运费在结账时计算

   结账