CVE-2026-9860
Received Received - Intake
Remote Code Execution in Cloudflare Images WordPress Plugin

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Wordfence

Description
The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config.php, combined with the absence of single-quote escaping β€” sanitize_text_field() does not strip single quotes, and filter_input(INPUT_POST) bypasses wp_magic_quotes() slashing β€” allowing a single quote in the account-id or api-key parameter to break out of the single-quoted PHP string literal in the write_config() define() statement. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. This is possible because the 'cf-images-nonce' nonce required by the AJAX handler is exposed to all Author-level and above users on wp-admin/upload.php via the CFImages JavaScript object, meaning any upload-capable user can satisfy the nonce check and reach the vulnerable wp-config.php write path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-9860
EUVD
EUVD-2026-37840
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cloudflare offload_ai_and_optimize_with_cloudflare_images to 1.10.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Offload, AI & Optimize with Cloudflare Images plugin for WordPress has a Remote Code Execution vulnerability in all versions up to and including 1.10.2. This occurs via the 'account-id' parameter due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only author-level upload_files capability instead of the higher manage_options capability before writing to wp-config.php.

The vulnerability is further enabled by the lack of single-quote escaping in the input. The sanitize_text_field() function does not remove single quotes, and filter_input(INPUT_POST) bypasses the usual wp_magic_quotes() slashing. This allows an attacker to inject a single quote in the 'account-id' or 'api-key' parameter, breaking out of the single-quoted PHP string literal in the write_config() define() statement.

As a result, authenticated users with author-level access or higher can execute arbitrary code on the server because the required 'cf-images-nonce' nonce is exposed to all author-level and above users via the CFImages JavaScript object on wp-admin/upload.php, allowing them to pass the nonce check and reach the vulnerable wp-config.php write path.

Impact Analysis

This vulnerability allows authenticated users with author-level access or higher to execute arbitrary code on the server remotely. This can lead to full compromise of the WordPress site, including unauthorized access, data theft, site defacement, or further exploitation of the server hosting the site.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9860. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart