Skip to main content

Image Sizes On Demand

1 CVEs product

Monthly

CVE-2026-8622 MEDIUM This Month

Reflected Cross-Site Scripting in the Image Sizes on Demand WordPress plugin (versions ≤ 1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized PHP_SELF server variable in settings.php. Successful exploitation requires social engineering an administrator into clicking a crafted link, after which the injected script executes within the admin's authenticated browser session - enabling session hijacking or unauthorized administrative actions. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS WordPress Image Sizes On Demand
NVD
CVSS 3.1
6.1
EPSS
0.2%
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the Image Sizes on Demand WordPress plugin (versions ≤ 1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized PHP_SELF server variable in settings.php. Successful exploitation requires social engineering an administrator into clicking a crafted link, after which the injected script executes within the admin's authenticated browser session - enabling session hijacking or unauthorized administrative actions. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS WordPress Image Sizes On Demand
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy