CVE-2026-8622
Deferred Deferred - Pending Action

Reflected Cross-Site Scripting in Image Sizes on Demand WordPress Plugin

Vulnerability report for CVE-2026-8622, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-29

Assigner: Wordfence

Description

The Image Sizes on Demand plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Server Variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The injected payload only executes in the context of an administrator, as the settings page requires the manage_options capability to render.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-29
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp_plugin image_sizes_on_demand to 1.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

An unauthenticated attacker can exploit this vulnerability to inject malicious scripts that execute in the administrator's browser.

This can lead to unauthorized actions performed with administrator privileges, potentially compromising the website's security.

The vulnerability has a CVSS v3.1 base score of 6.1, indicating a medium severity with low attack complexity but requiring user interaction.

Executive Summary

The Image Sizes on Demand plugin for WordPress has a Reflected Cross-Site Scripting (XSS) vulnerability via the PHP_SELF server variable in all versions up to and including 1.3.

This vulnerability exists because the plugin does not properly sanitize or escape input, allowing an attacker to inject arbitrary web scripts.

These injected scripts execute when a user is tricked into performing an action such as clicking a malicious link.

The payload only executes in the context of an administrator since the affected page requires the manage_options capability.

Mitigation Strategies

To mitigate this vulnerability, you should update the Image Sizes on Demand WordPress plugin to a version later than 1.3 where the issue is fixed.

Additionally, restrict access to the plugin's settings page to trusted administrators only, as the vulnerability executes in the context of users with manage_options capability.

Avoid clicking on suspicious links that could trigger the reflected cross-site scripting attack.

Detection Guidance

This vulnerability involves Reflected Cross-Site Scripting (XSS) via the PHP_SELF server variable in the Image Sizes on Demand WordPress plugin up to version 1.3. Detection typically involves checking if the vulnerable plugin version is installed and verifying if the plugin's settings page is accessible.

Since the vulnerability requires an administrator context to execute, detection can include scanning for the presence of the plugin and its version, and testing for reflected script injection in URLs referencing the plugin's settings page.

  • Use WP-CLI to list installed plugins and their versions: `wp plugin list`
  • Check if the Image Sizes on Demand plugin is installed and its version is 1.3 or below.
  • Manually or with a tool, attempt to inject a script payload in the URL parameter that uses PHP_SELF, for example by accessing a URL like: `https://example.com/wp-admin/admin.php?page=image-sizes-on-demand&<script>alert(1)</script>` and observe if the script executes or is reflected.
  • Use web vulnerability scanners that support WordPress plugin XSS detection to automate testing.
Compliance Impact

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute in the context of an administrator. This can lead to unauthorized access or manipulation of administrative functions.

Such unauthorized access and potential data manipulation could impact compliance with standards like GDPR and HIPAA, which require protection of sensitive data and secure administrative controls.

However, the provided information does not explicitly detail the direct effects on compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8622. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart