Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Prelovac SEO Friendly Images seo-image allows DOM-Based XSS.This issue affects SEO Friendly Images: from n/a through <= 3.0.5.
AnalysisAI
DOM-based cross-site scripting (XSS) in Vladimir Prelovac SEO Friendly Images WordPress plugin version 3.0.5 and earlier allows authenticated attackers with low privileges to execute arbitrary JavaScript in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects the WordPress admin dashboard with cross-site scope, enabling session hijacking, credential theft, or malicious actions on behalf of compromised administrators. EPSS exploitation probability is minimal at 0.03%, indicating low real-world attack likelihood despite the moderate CVSS score.
Technical ContextAI
The SEO Friendly Images plugin for WordPress processes user-supplied input without proper neutralization during DOM manipulation and HTML page generation. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a foundational XSS weakness. DOM-based XSS occurs when untrusted data is written to the DOM via JavaScript properties or methods (such as innerHTML, eval, or document.write) without sanitization. WordPress plugins operating in the admin context have access to authenticated sessions and CSRF tokens, making XSS in that context particularly dangerous for privilege escalation and lateral movement.
RemediationAI
Update SEO Friendly Images to a version above 3.0.5 immediately. WordPress administrators should navigate to Plugins > Installed Plugins, locate SEO Friendly Images, and click Update to the latest available version if not automatically applied. If an updated version is not yet released, deactivate and remove the plugin until a patch is available, as the vulnerability only affects authenticated plugin usage. Users should verify patched versions through the WordPress plugin directory and confirm version upgrade completion in the Plugins page. Additional hardening: implement WordPress security headers (Content-Security-Policy) to mitigate DOM XSS, restrict plugin editor access via wp-config.php setting (define('DISALLOW_FILE_EDIT', true)), and use Web Application Firewalls to detect/block XSS payloads in admin POST/GET parameters.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20339
GHSA-875q-xj6g-48pg