Description
Subscriber Cross Site Scripting (XSS) in ShortPixel Adaptive Images <= 3.11.3 versions.
Published: 2026-07-02
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cross‑site scripting flaw (CWE‑79) present in ShortPixel Adaptive Images plugin versions up to 3.11.3. It permits a subscriber or other user who can submit content that the plugin processes to inject arbitrary JavaScript that runs in the browsers of visitors who view the affected content. The impact is limited to the client side; it does not provide code execution on the server but can lead to theft of cookies, phishing, or defacement of the site’s front‑end.

Affected Systems

WordPress sites that run the ShortPixel Adaptive Images plugin version 3.11.3 or earlier are affected. The plugin is developed by the ShortPixel vendor and is the only product listed as impacted.

Risk and Exploitability

The CVSS score of 6.5 places this flaw in the medium severity range. Because the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the likelihood of widespread exploitation is unknown but no well‑known exploits have been reported. The likely attack vector is through malicious input submitted by a subscriber; exploitation requires that a target’s browser renders the affected content, making it a client‑side threat. Given the moderate severity and potential damage to user experience and trust, the risk is significant for sites with a large public audience.

Generated by OpenCVE AI on July 2, 2026 at 17:51 UTC.

Remediation

Vendor Solution

Update the WordPress ShortPixel Adaptive Images Plugin to the latest available version (at least 3.11.4).


OpenCVE Recommended Actions

  • Apply the latest version of the ShortPixel Adaptive Images plugin (at least 3.11.4).
  • Disable or remove the plugin if an upgrade cannot be performed immediately to eliminate the vulnerable code path.
  • Restrict the ability of non‑administrator user roles to submit image data that the plugin processes, or enforce a strict Content Security Policy to mitigate the impact of any residual XSS payloads.

Generated by OpenCVE AI on July 2, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Shortpixel
Shortpixel shortpixel Adaptive Images
Wordpress
Wordpress wordpress
Vendors & Products Shortpixel
Shortpixel shortpixel Adaptive Images
Wordpress
Wordpress wordpress

Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Subscriber Cross Site Scripting (XSS) in ShortPixel Adaptive Images <= 3.11.3 versions.
Title WordPress ShortPixel Adaptive Images plugin <= 3.11.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Shortpixel Shortpixel Adaptive Images
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T14:56:19.868Z

Reserved: 2026-06-24T12:45:24.971Z

Link: CVE-2026-57342

cve-icon Vulnrichment

Updated: 2026-07-02T14:56:15.347Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T18:00:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')