MEDIUM 6.4

CVE-2026-8883: Global Body Mass Index Calculator WordPress Plugin Stored XSS Vulnerability

The Global Body Mass Index Calculator WordPress plugin contains a stored cross-site scripting (XSS) flaw affecting versions 1.2 and earlier. Attackers with contributor-level access can inject malicious scripts through the plugin's shortcode functionality. These scripts persist in the database and execute whenever site visitors view affected pages, potentially compromising user sessions, stealing credentials, or spreading malware across your WordPress site.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

The Global Body Mass Index Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gbmicalc' shortcode in versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the GBMI_Calc_Widget::widget() function. Shortcode attributes are extracted directly into local variables via @extract($args) and then echoed unescaped into an HTML style attribute (height/width) and HTML body context (title), allowing attribute-breakout payloads. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8883 is a stored XSS vulnerability in the GBMI_Calc_Widget::widget() function of the Global Body Mass Index Calculator plugin. The vulnerability stems from the use of PHP's @extract() function on user-supplied shortcode attributes without proper sanitization, combined with unescaped output in both HTML style attributes (height/width) and HTML body context (title). An authenticated attacker with contributor-level permissions or higher can craft a malicious shortcode with attribute-breakout payloads that, when saved to a post or page, will execute arbitrary JavaScript in the browsers of all users who subsequently view that content. The lack of input validation and output escaping creates a direct pathway for script injection.

Business impact

This vulnerability poses a persistent threat to WordPress sites using the affected plugin. Compromised pages can redirect users to phishing sites, inject credential-stealing forms, trigger drive-by downloads, or modify site content to deface your brand. Because the XSS payload is stored in the database, the attack affects all site visitors, not just the attacker. If your site collects sensitive data through contact forms or user accounts, this vulnerability could lead to data breaches. Additionally, malware distribution through your trusted domain can harm your reputation and trigger search engine penalties.

Affected systems

Global Body Mass Index Calculator plugin for WordPress, versions 1.2 and earlier. The vulnerability requires the attacker to have authenticated access with at least contributor-level permissions. Any WordPress site with this plugin installed and active is potentially affected if user accounts with contributor access or above are issued to untrusted parties or if those accounts are compromised.

Exploitability

Exploitation requires authentication (contributor access or higher) and user interaction (a site visitor must view an injected page). However, the authentication barrier is relatively low—many WordPress sites grant contributor access to content creators or guest authors. Once a malicious shortcode is published, the XSS payload executes automatically without further user action on the attacker's part. The CVSS score of 6.4 (MEDIUM) reflects the requirement for authenticated access but accounts for the broad impact across all site visitors. This is not a critical zero-click vulnerability, but it is a practical and persistent threat in environments with loose access controls.

Remediation

Update the Global Body Body Mass Index Calculator plugin to a patched version released after June 9, 2026. Verify the patch version against the vendor's official advisory. If no patch is available, disable or remove the plugin. As interim measures, audit contributor and author accounts for unauthorized activity, review post and page revisions for suspicious shortcode usage, and consider restricting shortcode capability to administrators only via capability filtering plugins.

Patch guidance

Check the WordPress plugin repository and the vendor's advisory for the release date of version 1.3 or later. Apply the update through the WordPress admin dashboard (Plugins > Installed Plugins > Update). Test the update in a staging environment first to ensure compatibility with your theme and other plugins. After updating, scan your site's posts and pages for any existing malicious shortcode payloads and remove them. If no patched version has been released as of your assessment date, verify the plugin's status with the vendor or consider replacing it with an alternative plugin.

Detection guidance

Search your WordPress posts, pages, and custom post types for instances of the 'gbmicalc' shortcode, particularly those with unusual attributes or attributes containing special characters, quotes, or script-like syntax. Review the revision history of affected pages to identify when malicious shortcodes were added. Use WordPress security plugins to audit user capabilities and review contributor-level account activity logs. Monitor for unexpected JavaScript execution or outbound requests from pages containing the shortcode. If you have access to server logs, search for POST requests to wp-admin/post.php with parameters modifying shortcode content.

Why prioritize this

This vulnerability merits prompt attention but not emergency response. The MEDIUM severity score and authentication requirement mean it poses less urgent risk than unauthenticated remote code execution vulnerabilities. However, prioritize remediation if you have issued contributor access to multiple users, if your site processes sensitive user data, or if you cannot easily audit and monitor all published content. Sites with strict access controls and infrequent contributor access can take a measured approach to patching and monitoring.

Risk score, explained

The CVSS 3.1 score of 6.4 reflects a combination of factors: Network-accessible (AV:N) with low attack complexity (AC:L), but requiring low privilege authenticated access (PR:L). The impact is confined to integrity and confidentiality (C:L/I:L) with no direct availability impact, and the scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. The score does not include ransomware or exploit-in-the-wild data; it represents the intrinsic severity of the flaw itself.

Frequently asked questions

Do I need to be a WordPress administrator to be vulnerable to this attack?

No. The attacker needs only contributor-level access or higher, which is commonly granted to authors, editors, and other content creators. However, an attacker must have an authenticated account; they cannot exploit the vulnerability from outside your WordPress site without credentials.

If I disable the plugin, am I safe from this vulnerability?

Disabling the plugin prevents the vulnerable shortcode from being processed, so existing malicious payloads will no longer execute. However, any malicious content already stored in your database persists. For complete safety, deactivate the plugin, audit your content for malicious shortcodes, remove them, and then consider uninstalling it entirely.

What should I do if I suspect my site has been compromised by this vulnerability?

First, update the plugin to the patched version. Then, review all posts, pages, and revisions for suspicious 'gbmicalc' shortcodes or other script-like content. Check user account logs for unauthorized access. Scan your site with a security plugin or engage a professional security firm. If you handle user data, consider notifying affected users and resetting security tokens.

Does this vulnerability allow remote code execution on my server?

No. This is a stored XSS vulnerability, meaning it injects scripts that run in users' browsers, not code that executes on your server. However, JavaScript running in a user's browser can still steal session cookies, redirect users, or capture credentials, which is a serious threat.

This analysis is provided for informational purposes and reflects the vulnerability as described in public disclosures as of June 17, 2026. Patch availability, version numbers, and vendor guidance should be verified against the official WordPress plugin repository and the vendor's advisory before taking action. No exploit code or detailed attack methodology is provided. Organizations should conduct their own risk assessment based on their environment, access controls, and data sensitivity. This document does not constitute professional security advice or a guarantee of security; consult qualified security professionals for guidance specific to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).