PatchSiren cyber security CVE debrief
CVE-2026-8622 pixelwelt CVE debrief
The Image Sizes on Demand plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Server Variable in all versions up to, and including, 1.3. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The injected payload only executes in the context of an administrator, as the settings page requires the manage_options capability to render. Successful exploitation requires user interaction and the attacker must be able to trick a user into taking an action. The CVSS score for this vulnerability is 6.1, indicating a medium severity level.
- Vendor
- pixelwelt
- Product
- Image Sizes on Demand
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-24
- Original CVE updated
- 2026-06-25
- Advisory published
- 2026-06-24
- Advisory updated
- 2026-06-25
Who should care
Administrators and users of the Image Sizes on Demand plugin for WordPress should be aware of this vulnerability and take steps to mitigate it. This vulnerability is particularly concerning for users with administrative privileges, as the injected payload only executes in their context. Users should ensure they are running a version of the plugin that has addressed this issue.
Technical summary
The Image Sizes on Demand plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the PHP_SELF server variable. This vulnerability exists in all versions up to and including 1.3 of the plugin. The vulnerability is caused by insufficient input sanitization and output escaping. An attacker can exploit this vulnerability by injecting arbitrary web scripts into pages that execute when an administrator performs an action, such as clicking on a link. The payload only executes in the context of an administrator due to the manage_options capability requirement for the settings page. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 6.1, indicating a medium severity level. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.
Defensive priority
This vulnerability should be prioritized for remediation due to its medium severity level and the potential for exploitation. Administrators should apply patches or updates as soon as possible to prevent potential attacks.
Recommended defensive actions
- Apply patches or updates to the Image Sizes on Demand plugin for WordPress to address this vulnerability.
- Ensure that all users, especially administrators, are aware of the potential risks and take precautions when interacting with links or pages that may be exploited.
- Consider implementing additional security measures, such as web application firewalls (WAFs) or intrusion detection systems, to detect and prevent potential attacks.
- Regularly review and update plugins and software to ensure that known vulnerabilities are addressed.
- Monitor for suspicious activity and implement incident response plans in case of a potential attack.
Evidence notes
The CVE-2026-8622 record was published on June 24, 2026, and modified on June 25, 2026. The vulnerability was reported by [email protected] and is related to the Image Sizes on Demand plugin for WordPress. The CVSS score for this vulnerability is 6.1, indicating a medium severity level. The vulnerability allows for Reflected Cross-Site Scripting via the PHP_SELF server variable.
Official resources
This article is AI-assisted and based on the supplied source corpus.