CVE-2026-9860

June 18, 2026, 6:16 a.m.

8.8
High

Description

The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config.php, combined with the absence of single-quote escaping — sanitize_text_field() does not strip single quotes, and filter_input(INPUT_POST) bypasses wp_magic_quotes() slashing — allowing a single quote in the account-id or api-key parameter to break out of the single-quoted PHP string literal in the write_config() define() statement. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. This is possible because the 'cf-images-nonce' nonce required by the AJAX handler is exposed to all Author-level and above users on wp-admin/upload.php via the CFImages JavaScript object, meaning any upload-capable user can satisfy the nonce check and reach the vulnerable wp-config.php write path.

Product(s) Impacted

Vendor Product Versions
Cloudflare
  • Cloudflare Images
  • *
Wordpress
  • Wordpress
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-434
Unrestricted Upload of File with Dangerous Type
The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a cloudflare cloudflare_images / / / / / wordpress / /
a wordpress wordpress / / / / / / / /

References

https://plugins.trac.wordpress.org/browser/cf-images/tags/1.10.1/app/class-media.php#L94
https://plugins.trac.wordpress.org/browser/cf-images/tags/1.10.1/app/class-settings.php#L123
https://plugins.trac.wordpress.org/browser/cf-images/tags/1.10.1/app/class-settings.php#L75
https://plugins.trac.wordpress.org/browser/cf-images/tags/1.10.1/app/traits/trait-ajax.php#L36
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3564001%40cf-images&new=3564001%40cf-images&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/a772041e-015e-48e8-9fab-79f1fcdb265c?source=cve

Tags

[email protected]
CWE-434
2026-06-18
CVE-2026-9860

CVSS Score

8.8 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: June 18, 2026, 6:16 a.m.
Last Modified: June 18, 2026, 6:16 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.