Skip to main content

Image Sizes on Demand CVE-2026-8622

| EUVDEUVD-2026-38687 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-24 Wordfence GHSA-crf7-vj54-j76v
6.1
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Unauthenticated network delivery (AV:N, PR:N) with mandatory admin click (UI:R); S:C because injected script executes in victim browser context; no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 07:02 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
MEDIUM 6.1

DescriptionCVE.org

The Image Sizes on Demand plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Server Variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The injected payload only executes in the context of an administrator, as the settings page requires the manage_options capability to render.

AnalysisAI

Reflected Cross-Site Scripting in the Image Sizes on Demand WordPress plugin (versions ≤ 1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized PHP_SELF server variable in settings.php. Successful exploitation requires social engineering an administrator into clicking a crafted link, after which the injected script executes within the admin's authenticated browser session - enabling session hijacking or unauthorized administrative actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site with plugin ≤ 1.3
Delivery
Craft URL with XSS payload in PHP_SELF path
Exploit
Deliver link to site administrator via phishing
Install
Administrator clicks link while authenticated
C2
settings.php reflects unsanitized PHP_SELF into page
Execute
Injected script executes in admin browser session
Impact
Attacker hijacks session or performs unauthorized admin action

Vulnerability AssessmentAI

Exploitation The Image Sizes on Demand plugin (version ≤ 1.3) must be installed and active on the target WordPress site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.1 score (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) reflects a network-reachable, low-complexity, unauthenticated attack - but the mandatory user interaction (UI:R) and the constraint that the payload only executes for users with the manage_options WordPress capability (i.e., site administrators) meaningfully limit mass-exploitation potential. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a WordPress site running the Image Sizes on Demand plugin (≤ 1.3), crafts a URL to the plugin's settings page with a JavaScript payload embedded in the URL path to exploit the PHP_SELF reflection, and delivers it to the site administrator via a phishing email or compromised forum post. When the administrator clicks the link while logged into their WordPress dashboard, the malicious script executes in their browser session, allowing the attacker to exfiltrate the session cookie or silently create a rogue administrator account. …
Remediation No fixed version number has been confirmed in the available reference data - patch availability should be verified directly via the plugin's WordPress.org repository page before assuming a fix exists. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8622 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy