Skip to main content

Seo Friendly Images CVE-2026-39665

| EUVDEUVD-2026-20339 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Patchstack GHSA-875q-xj6g-48pg
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:43 vuln.today
CVSS changed
Apr 13, 2026 - 20:22 NVD
6.5 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20339
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Prelovac SEO Friendly Images seo-image allows DOM-Based XSS.This issue affects SEO Friendly Images: from n/a through <= 3.0.5.

AnalysisAI

DOM-based cross-site scripting (XSS) in Vladimir Prelovac SEO Friendly Images WordPress plugin version 3.0.5 and earlier allows authenticated attackers with low privileges to execute arbitrary JavaScript in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects the WordPress admin dashboard with cross-site scope, enabling session hijacking, credential theft, or malicious actions on behalf of compromised administrators. EPSS exploitation probability is minimal at 0.03%, indicating low real-world attack likelihood despite the moderate CVSS score.

Technical ContextAI

The SEO Friendly Images plugin for WordPress processes user-supplied input without proper neutralization during DOM manipulation and HTML page generation. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a foundational XSS weakness. DOM-based XSS occurs when untrusted data is written to the DOM via JavaScript properties or methods (such as innerHTML, eval, or document.write) without sanitization. WordPress plugins operating in the admin context have access to authenticated sessions and CSRF tokens, making XSS in that context particularly dangerous for privilege escalation and lateral movement.

RemediationAI

Update SEO Friendly Images to a version above 3.0.5 immediately. WordPress administrators should navigate to Plugins > Installed Plugins, locate SEO Friendly Images, and click Update to the latest available version if not automatically applied. If an updated version is not yet released, deactivate and remove the plugin until a patch is available, as the vulnerability only affects authenticated plugin usage. Users should verify patched versions through the WordPress plugin directory and confirm version upgrade completion in the Plugins page. Additional hardening: implement WordPress security headers (Content-Security-Policy) to mitigate DOM XSS, restrict plugin editor access via wp-config.php setting (define('DISALLOW_FILE_EDIT', true)), and use Web Application Firewalls to detect/block XSS payloads in admin POST/GET parameters.

Share

CVE-2026-39665 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy