CVE-2025-6626 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting the ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization plugin for WordPress, specifically versions up to and including 3.10.3. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), where insufficient input sanitization and output escaping occur in the API URL Setting. The flaw allows authenticated attackers with administrator-level privileges to inject arbitrary malicious scripts into pages. These scripts execute in the context of users who access the compromised pages, potentially leading to session hijacking, privilege escalation, or other malicious actions. Notably, this vulnerability only impacts multi-site WordPress installations or installations where the unfiltered_html capability is disabled, limiting the attack surface. The CVSS 3.1 base score is 4.4, reflecting a network attack vector with high attack complexity and requiring high privileges but no user interaction. The scope is changed, indicating that the vulnerability can affect components beyond the initially vulnerable plugin. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was publicly disclosed in August 2025, with the initial reservation in June 2025. The plugin is widely used for image optimization and delivery in WordPress environments, making this vulnerability relevant for websites relying on ShortPixel's adaptive image services in multi-site configurations.

For European organizations, this vulnerability poses a moderate risk primarily to WordPress multi-site deployments using the ShortPixel Adaptive Images plugin. Exploitation could allow an attacker with administrator access to inject malicious scripts, potentially compromising the confidentiality and integrity of user sessions and data. This could lead to unauthorized actions performed on behalf of users, data leakage, or defacement of websites. Given the requirement for administrator privileges, the threat is more about insider threats or compromised admin accounts rather than external attackers directly exploiting the vulnerability. However, in environments where administrator credentials are weak or have been phished, this vulnerability could be leveraged to escalate attacks. The impact on availability is minimal as the vulnerability does not enable denial of service. European organizations with multi-site WordPress installations, especially those in sectors like media, e-commerce, or government that rely on WordPress for content management and use ShortPixel for image optimization, should be particularly cautious. Additionally, the limitation to installations with unfiltered_html disabled means that some configurations may be more vulnerable than others. Overall, the vulnerability could facilitate targeted attacks that undermine trust and data security within affected organizations.

To mitigate this vulnerability, European organizations should first verify if they operate multi-site WordPress installations using the ShortPixel Adaptive Images plugin version 3.10.3 or earlier. Immediate steps include: 1) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2) Monitor and audit administrator activities and plugin settings for suspicious changes, particularly in the API URL Setting. 3) Temporarily disable or restrict the use of the ShortPixel Adaptive Images plugin in multi-site environments until a security patch is released. 4) Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on web pages. 5) Regularly update WordPress core and plugins to the latest versions once the vendor releases a patch addressing this vulnerability. 6) Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block attempts to inject malicious scripts via the API URL Setting. 7) Educate administrators about the risks of XSS and the importance of sanitizing inputs when configuring plugins. These targeted actions go beyond generic advice by focusing on the specific conditions and configurations that enable exploitation of this vulnerability.