Description
The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0 via the 'src' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2026-02-26
Score: 7.5 High
EPSS: 28.9% Moderate
KEV: No
Impact: Arbitrary File Read
Action: Patch
AI Analysis

Impact

The vulnerability resides in the WP Responsive Images WordPress plugin and allows an unauthenticated attacker to provide a crafted 'src' parameter that triggers a Path Traversal flaw (CWE‑22). This flaw enables reading the contents of arbitrary files on the hosting server, potentially exposing sensitive information such as configuration files, credentials, or source code. The impact is a confidentiality breach; there is no direct evidence of code execution, denial of service, or other secondary effects in the provided data.

Affected Systems

The affected product is the WP Responsive Images plugin developed by Stuart Bates. All released versions up to and including 1.0 are vulnerable. Users running WordPress with this plugin installed on any version of the plugin in the 1.0 series are impacted.

Risk and Exploitability

The CVSS score is 7.5, reflecting a high severity for confidentiality loss. The EPSS score of 28% indicates a relatively high probability of exploitation in practice. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw by sending a web request containing an arbitrary 'src' value, and no authentication is required. The exploit path is straightforward via standard HTTP request manipulation.

Generated by OpenCVE AI on April 21, 2026 at 23:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Responsive Images to the latest available version or remove the plugin if it is no longer needed.
  • If an update is not possible immediately, temporarily disable the plugin or comment out the file‑retrieval code to prevent arbitrary file reads.
  • Ensure the web server’s file system permissions restrict read access to critical directories (e.g., configuration, user uploads) so that even if the flaw is exploited, sensitive files remain inaccessible.

Generated by OpenCVE AI on April 21, 2026 at 23:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Stuartbates
Stuartbates wp Responsive Images
Wordpress
Wordpress wordpress
Vendors & Products Stuartbates
Stuartbates wp Responsive Images
Wordpress
Wordpress wordpress

Thu, 26 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Description The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0 via the 'src' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Title WP Responsive Images <= 1.0 - Unauthenticated Path Traversal to Arbitrary File Read via src
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Stuartbates Wp Responsive Images
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:46.877Z

Reserved: 2026-01-28T17:23:50.112Z

Link: CVE-2026-1557

cve-icon Vulnrichment

Updated: 2026-02-26T15:31:29.754Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T02:16:19.990

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1557

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:45:02Z

Weaknesses