CVE-2026-9860
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk43th percentile — higher than 43% of all known CVEs
Summary
The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to and including 1.10.2 via the 'account-id' parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, allowing authenticated attackers with author-level access to execute code on the server.
Risk Assessment
Attackers with author-level access can exploit this vulnerability to execute arbitrary code on the server, posing a significant security threat to the system.
Recommendation
It is recommended to update the plugin to the latest version and review user permissions to limit access to critical functions.
Original NVD description (English source)
The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config.php, combined with the absence of single-quote escaping — sanitize_text_field() does not strip single quotes, and filter_input(INPUT_POST) bypasses wp_magic_quotes() slashing — allowing a single quote in the account-id or api-key parameter to break out of the single-quoted PHP string literal in the write_config() define() statement. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. This is possible because the 'cf-images-nonce' nonce required by the AJAX handler is exposed to all Author-level and above users on wp-admin/upload.php via the CFImages JavaScript object, meaning any upload-capable user can satisfy the nonce check and reach the vulnerable wp-config.php write path.

