Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Unauthenticated network delivery (AV:N, PR:N) with mandatory admin click (UI:R); S:C because injected script executes in victim browser context; no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Image Sizes on Demand plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Server Variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The injected payload only executes in the context of an administrator, as the settings page requires the manage_options capability to render.
AnalysisAI
Reflected Cross-Site Scripting in the Image Sizes on Demand WordPress plugin (versions ≤ 1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized PHP_SELF server variable in settings.php. Successful exploitation requires social engineering an administrator into clicking a crafted link, after which the injected script executes within the admin's authenticated browser session - enabling session hijacking or unauthorized administrative actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Image Sizes on Demand plugin (version ≤ 1.3) must be installed and active on the target WordPress site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.1 score (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) reflects a network-reachable, low-complexity, unauthenticated attack - but the mandatory user interaction (UI:R) and the constraint that the payload only executes for users with the manage_options WordPress capability (i.e., site administrators) meaningfully limit mass-exploitation potential. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a WordPress site running the Image Sizes on Demand plugin (≤ 1.3), crafts a URL to the plugin's settings page with a JavaScript payload embedded in the URL path to exploit the PHP_SELF reflection, and delivers it to the site administrator via a phishing email or compromised forum post. When the administrator clicks the link while logged into their WordPress dashboard, the malicious script executes in their browser session, allowing the attacker to exfiltrate the session cookie or silently create a rogue administrator account. … |
| Remediation | No fixed version number has been confirmed in the available reference data - patch availability should be verified directly via the plugin's WordPress.org repository page before assuming a fix exists. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38687
GHSA-crf7-vj54-j76v