Description
The Image Sizes on Demand plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Server Variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The injected payload only executes in the context of an administrator, as the settings page requires the manage_options capability to render.
Published: 2026-06-24
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Image Sizes on Demand WordPress plugin is vulnerable because the PHP_SELF server variable is echoed directly without sanitization or escaping, allowing an attacker to inject arbitrary client‑side scripts into the plugin’s settings page. An unauthenticated attacker can craft a URL that includes malicious payloads and trick an administrator into visiting it; the script then executes within the administrator’s browser context.

Affected Systems

WordPress sites running the pixelwelt Image Sizes on Demand plugin version 1.3 or earlier are affected. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 6.1 reflects moderate severity. No EPSS score is available and the flaw is not in CISA’s KEV catalog, indicating that widespread exploitation has not yet been documented. Successful exploitation requires an admin to click a malicious link, after which the injected script runs as the admin, potentially allowing theft of session cookies or other privileged data confined to the settings page. Overall the risk remains moderate but should not be ignored on active WordPress sites.

Generated by OpenCVE AI on June 24, 2026 at 09:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Image Sizes on Demand plugin to a newer version that removes the PHP_SELF vulnerability.
  • If an upgrade cannot be performed immediately, consider disabling the plugin or preventing the PHP_SELF variable from being reflected when the settings page loads.
  • Enforce a content security policy that blocks inline script execution and scan the plugin’s files for any injected code.

Generated by OpenCVE AI on June 24, 2026 at 09:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Image Sizes on Demand plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Server Variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The injected payload only executes in the context of an administrator, as the settings page requires the manage_options capability to render.
Title Image Sizes on Demand <= 1.3 - Reflected Cross-Site Scripting via PHP_SELF Server Variable
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T05:33:32.724Z

Reserved: 2026-05-14T18:40:57.242Z

Link: CVE-2026-8622

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:45:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')