Shortpixel Adaptive Images
Monthly
Stored Cross-Site Scripting in ShortPixel Adaptive Images WordPress plugin (versions <= 3.11.3) enables authenticated subscriber-role users to inject malicious scripts that execute in the browsers of higher-privileged users, including administrators. The CVSS changed-scope indicator (S:C) signals that injected payloads can transcend the attacker's own session context - a meaningful risk in WordPress environments where admin account takeover is feasible via session hijacking. No public exploit has been identified and this vulnerability is not listed in CISA KEV at time of analysis.
The ShortPixel Adaptive Images WordPress plugin before 3.6.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin <= 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to change the plugin. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Stored Cross-Site Scripting in ShortPixel Adaptive Images WordPress plugin (versions <= 3.11.3) enables authenticated subscriber-role users to inject malicious scripts that execute in the browsers of higher-privileged users, including administrators. The CVSS changed-scope indicator (S:C) signals that injected payloads can transcend the attacker's own session context - a meaningful risk in WordPress environments where admin account takeover is feasible via session hijacking. No public exploit has been identified and this vulnerability is not listed in CISA KEV at time of analysis.
The ShortPixel Adaptive Images WordPress plugin before 3.6.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin <= 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to change the plugin. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.