Skip to main content

ShortPixel Adaptive Images EUVDEUVD-2026-41342

| CVE-2026-57342 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-h7qc-4h62-77r8
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Subscriber authentication (PR:L) and admin victim page-load (UI:R) required; S:C reflects admin-context execution; A:N assigned as XSS does not directly impact availability.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:37 vuln.today

DescriptionCVE.org

Subscriber Cross Site Scripting (XSS) in ShortPixel Adaptive Images <= 3.11.3 versions.

AnalysisAI

Stored Cross-Site Scripting in ShortPixel Adaptive Images WordPress plugin (versions <= 3.11.3) enables authenticated subscriber-role users to inject malicious scripts that execute in the browsers of higher-privileged users, including administrators. The CVSS changed-scope indicator (S:C) signals that injected payloads can transcend the attacker's own session context - a meaningful risk in WordPress environments where admin account takeover is feasible via session hijacking. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register subscriber account on target WordPress site
Delivery
Submit XSS payload via ShortPixel plugin input field
Exploit
Payload stored in WordPress database
Execution
Administrator loads page rendering injected content
Persist
Malicious script executes in admin browser
Impact
Exfiltrate admin session token or perform unauthorized admin action

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress subscriber-level account (confirmed by PR:L in the CVSS vector) - the attacker must be authenticated to the target WordPress instance. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.5 Medium (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site running ShortPixel Adaptive Images <= 3.11.3 and submits a crafted XSS payload through a plugin-controlled input field, which is persisted without sanitization. When a site administrator subsequently visits the affected page or admin panel area rendering that content, the payload executes in their browser session. …
Remediation Update ShortPixel Adaptive Images to a version above 3.11.3 immediately; the exact patched release is not independently confirmed from available input data - consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/shortpixel-adaptive-images/vulnerability/wordpress-shortpixel-adaptive-images-plugin-3-11-3-cross-site-scripting-xss-vulnerability) or the WordPress plugin repository to identify the current fixed release before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41342 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy