Impact
The vulnerability is a cross‑site scripting flaw (CWE‑79) present in ShortPixel Adaptive Images plugin versions up to 3.11.3. It permits a subscriber or other user who can submit content that the plugin processes to inject arbitrary JavaScript that runs in the browsers of visitors who view the affected content. The impact is limited to the client side; it does not provide code execution on the server but can lead to theft of cookies, phishing, or defacement of the site’s front‑end.
Affected Systems
WordPress sites that run the ShortPixel Adaptive Images plugin version 3.11.3 or earlier are affected. The plugin is developed by the ShortPixel vendor and is the only product listed as impacted.
Risk and Exploitability
The CVSS score of 6.5 places this flaw in the medium severity range. Because the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the likelihood of widespread exploitation is unknown but no well‑known exploits have been reported. The likely attack vector is through malicious input submitted by a subscriber; exploitation requires that a target’s browser renders the affected content, making it a client‑side threat. Given the moderate severity and potential damage to user experience and trust, the risk is significant for sites with a large public audience.
OpenCVE Enrichment