Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Subscriber authentication (PR:L) and admin victim page-load (UI:R) required; S:C reflects admin-context execution; A:N assigned as XSS does not directly impact availability.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Cross Site Scripting (XSS) in ShortPixel Adaptive Images <= 3.11.3 versions.
AnalysisAI
Stored Cross-Site Scripting in ShortPixel Adaptive Images WordPress plugin (versions <= 3.11.3) enables authenticated subscriber-role users to inject malicious scripts that execute in the browsers of higher-privileged users, including administrators. The CVSS changed-scope indicator (S:C) signals that injected payloads can transcend the attacker's own session context - a meaningful risk in WordPress environments where admin account takeover is feasible via session hijacking. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress subscriber-level account (confirmed by PR:L in the CVSS vector) - the attacker must be authenticated to the target WordPress instance. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 6.5 Medium (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on a WordPress site running ShortPixel Adaptive Images <= 3.11.3 and submits a crafted XSS payload through a plugin-controlled input field, which is persisted without sanitization. When a site administrator subsequently visits the affected page or admin panel area rendering that content, the payload executes in their browser session. … |
| Remediation | Update ShortPixel Adaptive Images to a version above 3.11.3 immediately; the exact patched release is not independently confirmed from available input data - consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/shortpixel-adaptive-images/vulnerability/wordpress-shortpixel-adaptive-images-plugin-3-11-3-cross-site-scripting-xss-vulnerability) or the WordPress plugin repository to identify the current fixed release before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Shortpixel Adaptive Images
View allThe ShortPixel Adaptive Images WordPress plugin before 3.6.3 does not sanitise and escape a parameter before outputting
Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin <= 3.3.1 at WordPress allows an a
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41342
GHSA-h7qc-4h62-77r8