Skip to main content

Offload Ai Optimize With Cloudflare Images

1 CVEs product

Monthly

CVE-2026-9860 HIGH This Week

Remote code execution in the Offload, AI & Optimize with Cloudflare Images WordPress plugin (versions ≤1.10.2) allows authenticated Author-level users to inject PHP into wp-config.php via the 'account-id' or 'api-key' parameters of the cf_images_do_setup AJAX handler. The handler enforces only the upload_files capability instead of manage_options, and a single-quote escape flaw lets attackers break out of a PHP string literal during the define() write. No public exploit is identified at time of analysis, but the vulnerability is reported by Wordfence with detailed root-cause analysis.

File Upload PHP WordPress RCE Offload Ai Optimize With Cloudflare Images +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in the Offload, AI & Optimize with Cloudflare Images WordPress plugin (versions ≤1.10.2) allows authenticated Author-level users to inject PHP into wp-config.php via the 'account-id' or 'api-key' parameters of the cf_images_do_setup AJAX handler. The handler enforces only the upload_files capability instead of manage_options, and a single-quote escape flaw lets attackers break out of a PHP string literal during the define() write. No public exploit is identified at time of analysis, but the vulnerability is reported by Wordfence with detailed root-cause analysis.

File Upload PHP WordPress +3
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy