CVE-2026-9860 vanyukov CVE debrief

Who should care

WordPress administrators and users with author-level access and above who have installed the Offload, AI & Optimize with Cloudflare Images plugin version 1.10.2 or earlier should be aware of this vulnerability and take immediate action to patch their installations.

Technical summary

The vulnerability exists in the cf_images_do_setup AJAX handler, which is accessible to users with the upload_files capability (Author+). The handler writes to wp-config.php without requiring the manage_options capability. The 'account-id' parameter is not properly sanitized, allowing a single quote to break out of the PHP string literal and execute arbitrary code. The cf-images-nonce nonce required by the AJAX handler is exposed to all Author-level and above users on wp-admin/upload.php via the CFImages JavaScript object.

Defensive priority

High

Recommended defensive actions

• Update the Offload, AI & Optimize with Cloudflare Images plugin to a version that fixes the vulnerability.
• Restrict access to the wp-admin/upload.php page to only trusted users.
• Monitor server logs for suspicious activity.
• Implement a Web Application Firewall (WAF) to detect and prevent RCE attacks.
• Regularly review and update WordPress plugins and themes to ensure they are up-to-date and secure.
• Consider using a security plugin to provide additional protection against RCE attacks.

Evidence notes

The vulnerability was reported by [email protected] and is documented in the Wordfence threat intelligence database. The CVE record and NVD detail pages provide additional information about the vulnerability.

Official resources