CVE-2026-39665
DOM-Based XSS in SEO Friendly Images Plugin
Publication date: 2026-04-08
Last updated on: 2026-04-13
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vladiir_preloavc | seo_friendly_images | to 3.0.5 (inc) |
| vladiir_preloavc | seo_friendly_images | From 3.0.0 (inc) to 3.0.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-39665 is a Cross Site Scripting (XSS) vulnerability in the WordPress SEO Friendly Images Plugin versions up to and including 3.0.5.
This vulnerability allows attackers to inject malicious scripts such as redirects, advertisements, or other HTML payloads into websites using the plugin.
These malicious scripts execute when visitors access the compromised site.
Exploitation requires a user with at least Contributor or Developer privileges to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts on your website, potentially leading to unauthorized redirects, unwanted advertisements, or other harmful HTML payloads being displayed to your visitors.
Since the malicious scripts run in the context of your website, this can compromise the user experience and trustworthiness of your site.
However, exploitation requires user interaction and a user with certain privileges, which lowers the overall risk.
No official patch is currently available, so immediate mitigation involves updating the plugin if possible or seeking help from hosting providers or web developers.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the affected SEO Friendly Images plugin if possible.
If updating is not possible, seek assistance from hosting providers or web developers to address the issue.