CVE-2026-9860
Deferred Deferred - Pending Action

Remote Code Execution in Cloudflare Images WordPress Plugin

Vulnerability report for CVE-2026-9860, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Wordfence

Description

The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config.php, combined with the absence of single-quote escaping β€” sanitize_text_field() does not strip single quotes, and filter_input(INPUT_POST) bypasses wp_magic_quotes() slashing β€” allowing a single quote in the account-id or api-key parameter to break out of the single-quoted PHP string literal in the write_config() define() statement. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. This is possible because the 'cf-images-nonce' nonce required by the AJAX handler is exposed to all Author-level and above users on wp-admin/upload.php via the CFImages JavaScript object, meaning any upload-capable user can satisfy the nonce check and reach the vulnerable wp-config.php write path.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-07-08
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-07
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cloudflare offload_ai_and_optimize_with_cloudflare_images to 1.10.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

Detection of this vulnerability involves identifying if the Offload, AI & Optimize with Cloudflare Images plugin for WordPress is installed and running a version up to and including 1.10.2.

Since the vulnerability exploits the 'account-id' parameter in the cf_images_do_setup AJAX handler, monitoring for suspicious POST requests to this AJAX endpoint with unusual single-quote characters in parameters could indicate exploitation attempts.

You can check the plugin version by running the following WP-CLI command:

  • wp plugin list --status=active | grep 'offload_ai_and_optimize_with_cloudflare_images'

To detect suspicious AJAX requests, you might review web server logs for POST requests to admin-ajax.php with the action parameter set to cf_images_do_setup and look for payloads containing single quotes or unusual characters.

  • grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'cf_images_do_setup' | grep "'"

Additionally, monitoring for unexpected modifications to wp-config.php could help detect exploitation.

  • stat wp-config.php
  • diff wp-config.php wp-config.php.bak
Mitigation Strategies

Immediate mitigation steps include updating the Offload, AI & Optimize with Cloudflare Images plugin to a version later than 1.10.2 where this vulnerability is fixed.

If an update is not immediately possible, restrict author-level users' ability to access or execute the vulnerable AJAX handler by limiting upload_files capability or restricting access to wp-admin/upload.php.

Additionally, monitor and audit wp-config.php for unauthorized changes and consider temporarily disabling the plugin until a patch is applied.

Executive Summary

The Offload, AI & Optimize with Cloudflare Images plugin for WordPress has a Remote Code Execution vulnerability in all versions up to and including 1.10.2. This occurs via the 'account-id' parameter due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only author-level upload_files capability instead of the higher manage_options capability before writing to wp-config.php.

The vulnerability is further enabled by the lack of single-quote escaping in the input. The sanitize_text_field() function does not remove single quotes, and filter_input(INPUT_POST) bypasses the usual wp_magic_quotes() slashing. This allows an attacker to inject a single quote in the 'account-id' or 'api-key' parameter, breaking out of the single-quoted PHP string literal in the write_config() define() statement.

As a result, authenticated users with author-level access or higher can execute arbitrary code on the server because the required 'cf-images-nonce' nonce is exposed to all author-level and above users via the CFImages JavaScript object on wp-admin/upload.php, allowing them to pass the nonce check and reach the vulnerable wp-config.php write path.

Impact Analysis

This vulnerability allows authenticated users with author-level access or higher to execute arbitrary code on the server remotely. This can lead to full compromise of the WordPress site, including unauthorized access, data theft, site defacement, or further exploitation of the server hosting the site.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9860. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart