CVE Catalog

CVE-2026-8622

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile — higher than 6% of all known CVEs

Summary

The Image Sizes on Demand plugin for WordPress up to version 1.3 is vulnerable to Reflected Cross-Site Scripting (XSS) via the PHP_SELF server variable. This is due to insufficient input sanitization and output escaping.

Risk Assessment

An unauthenticated attacker can inject arbitrary web scripts that execute in the context of an administrator if they trick the user into clicking a link. This could lead to session hijacking, data theft, or unauthorized modification of plugin settings.

Recommendation

Update the Image Sizes on Demand plugin to the latest patched version immediately. Until then, restrict access to the plugin settings page to trusted administrators only.

Original NVD description (English source)

The Image Sizes on Demand plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Server Variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The injected payload only executes in the context of an administrator, as the settings page requires the manage_options capability to render.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS