Image Sizes On Demand
Monthly
Reflected Cross-Site Scripting in the Image Sizes on Demand WordPress plugin (versions ≤ 1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized PHP_SELF server variable in settings.php. Successful exploitation requires social engineering an administrator into clicking a crafted link, after which the injected script executes within the admin's authenticated browser session - enabling session hijacking or unauthorized administrative actions. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Reflected Cross-Site Scripting in the Image Sizes on Demand WordPress plugin (versions ≤ 1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized PHP_SELF server variable in settings.php. Successful exploitation requires social engineering an administrator into clicking a crafted link, after which the injected script executes within the admin's authenticated browser session - enabling session hijacking or unauthorized administrative actions. No public exploit code and no CISA KEV listing have been identified at time of analysis.