Description
The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config.php, combined with the absence of single-quote escaping — sanitize_text_field() does not strip single quotes, and filter_input(INPUT_POST) bypasses wp_magic_quotes() slashing — allowing a single quote in the account-id or api-key parameter to break out of the single-quoted PHP string literal in the write_config() define() statement. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. This is possible because the 'cf-images-nonce' nonce required by the AJAX handler is exposed to all Author-level and above users on wp-admin/upload.php via the CFImages JavaScript object, meaning any upload-capable user can satisfy the nonce check and reach the vulnerable wp-config.php write path.
Published: 2026-06-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Offload, AI & Optimize with Cloudflare Images WordPress plugin allows an authenticated user with author or higher privileges to execute arbitrary PHP code on the hosting server. The vulnerability resides in the cf_images_do_setup AJAX handler, which writes to wp-config.php after performing only an upload_files capability check. Because the handler does not escape single‑quotes in the account-id or api‑key parameters, a single quote can break the PHP string literal surrounding the define() call, allowing arbitrary code to be inserted. The vulnerability is a classic uncontrolled write of a configuration file, mapped to CWE‑434.

Affected Systems

All installations of Offload, AI & Optimize with Cloudflare Images up to and including version 1.10.2 are affected. Users running WordPress with this plugin should verify that the plugin version does not exceed 1.10.2; versions beyond that are not known to be vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high‑severity flaw, but the EPSS score is under 1%, suggesting low current exploitation activity. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated author‑level or higher account, access to the wp-admin/upload.php page to obtain the required nonce, and the ability to send crafted AJAX requests to the plugin. Once completed, the attacker can have full code execution rights on the server. Given the severity, any instance that is still running a vulnerable version should be treated as a high‑risk exposure.

Generated by OpenCVE AI on June 18, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Offload, AI & Optimize with Cloudflare Images plugin to the latest version in which the cf_images_do_setup AJAX action requires the manage_options capability and performs proper input sanitization.
  • If an update is not yet available, disable the upload_files capability for author and lower user roles or restrict upload access so that only administrators can upload media. This limits the ability to reach the vulnerable AJAX handler.
  • As a temporary workaround, manually modify the plugin’s cf_images_do_setup function to enforce a manage_options check and escape any input used in wp-config.php writes, or permanently remove the AJAX action from the plugin’s hook registration.

Generated by OpenCVE AI on June 18, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config.php, combined with the absence of single-quote escaping — sanitize_text_field() does not strip single quotes, and filter_input(INPUT_POST) bypasses wp_magic_quotes() slashing — allowing a single quote in the account-id or api-key parameter to break out of the single-quoted PHP string literal in the write_config() define() statement. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. This is possible because the 'cf-images-nonce' nonce required by the AJAX handler is exposed to all Author-level and above users on wp-admin/upload.php via the CFImages JavaScript object, meaning any upload-capable user can satisfy the nonce check and reach the vulnerable wp-config.php write path.
Title Offload, AI & Optimize with Cloudflare Images <= 1.10.2 - Authenticated (Author+) Remote Code Execution via 'api-key' / 'account-id' Parameters in cf_images_do_setup AJAX Action
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-18T18:11:12.720Z

Reserved: 2026-05-28T16:16:47.763Z

Link: CVE-2026-9860

cve-icon Vulnrichment

Updated: 2026-06-18T18:10:08.301Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:30:05Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type