Description
The Auto Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'thumbnails' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on the shortcode's 'width' and 'height' attributes in the athn_thumbnails() function, which are concatenated directly into an HTML <img> tag. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Stored Cross‑Site Scripting (XSS) exists in the Auto Thumbnails WordPress plugin due to unsanitized 'width' and 'height' attributes in the 'thumbnails' shortcode. An authenticated user with contributor privileges can insert malicious scripts that will execute whenever the affected page is loaded, potentially compromising session data, stealing information, or defacing content. This vulnerability corresponds to CWE-79, an input validation weakness.

Affected Systems

The vulnerability impacts the Auto Thumbnails plugin from the vendor gapgag55, affecting all versions up to and including 1.0, which is installed on WordPress sites that have deployed this plugin.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, and there is no EPSS score available to assess exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authenticated contributor or higher access to create or modify content using the shortcode; after injection, the malicious script is stored and will run for any user who views the page, making the attack vector internal but broadly exploitable within the site.

Generated by OpenCVE AI on May 27, 2026 at 07:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Auto Thumbnails plugin to the latest version that sanitizes shortcode attributes or install the patch that encodes width and height values.
  • Identify and remove any content that uses the vulnerable 'thumbnails' shortcode containing injected scripts; replace with safe content.
  • If an update is not available, disable or uninstall the Auto Thumbnails plugin to eliminate the XSS vector.

Generated by OpenCVE AI on May 27, 2026 at 07:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Gapgag55
Gapgag55 auto Thumbnails
Wordpress
Wordpress wordpress
Vendors & Products Gapgag55
Gapgag55 auto Thumbnails
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Auto Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'thumbnails' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on the shortcode's 'width' and 'height' attributes in the athn_thumbnails() function, which are concatenated directly into an HTML <img> tag. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Auto Thumbnails <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Gapgag55 Auto Thumbnails
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:31:31.086Z

Reserved: 2026-05-18T21:10:59.140Z

Link: CVE-2026-8899

cve-icon Vulnrichment

Updated: 2026-05-27T10:31:26.011Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:18.083

Modified: 2026-05-27T07:16:18.083

Link: CVE-2026-8899

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:06:49Z

Weaknesses