HIGH
vanyukov
CVE published 2026-06-18
CVE-2026-9860
The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution (RCE) in all versions up to, and including, 1.10.2. This vulnerability is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config.php. The absence of single-qu [truncated]