CVE-2025-6626 identifies a stored cross-site scripting (XSS) vulnerability in the ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization plugin for WordPress, affecting all versions up to and including 3.10.3. The root cause is improper neutralization of input during web page generation (CWE-79), specifically in the API URL setting, which lacks sufficient input sanitization and output escaping. This flaw enables authenticated attackers with administrator-level privileges to inject arbitrary JavaScript code into pages within multi-site WordPress installations where the unfiltered_html capability is disabled. When users visit these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious activities. Exploitation requires high privileges (administrator access) but does not require user interaction, and the vulnerability affects the confidentiality and integrity of the site and its users. The CVSS v3.1 base score is 4.4, reflecting medium severity due to the high attack complexity and required privileges. No public exploits have been reported to date, and no official patches have been linked yet. The vulnerability is particularly relevant for WordPress multi-site environments using this plugin, which is popular for image optimization and delivery.

The impact of CVE-2025-6626 is primarily on the confidentiality and integrity of WordPress multi-site installations using the vulnerable ShortPixel Adaptive Images plugin. An attacker with administrator privileges can inject malicious scripts that execute in the context of other users visiting the affected pages, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of users. Although availability is not directly impacted, the trustworthiness and security posture of the affected websites can be severely undermined. Organizations relying on multi-site WordPress deployments for content management, especially those with multiple administrators, face increased risk of internal threat exploitation or compromised administrator accounts. The requirement for administrator-level access limits the attack surface but does not eliminate risk, as insider threats or compromised admin credentials could be leveraged. The absence of known public exploits reduces immediate risk but vigilance is necessary as exploit code could emerge. Overall, this vulnerability can facilitate persistent cross-site scripting attacks that degrade user trust and site security.

To mitigate CVE-2025-6626, organizations should first restrict administrator access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Regularly audit administrator accounts and permissions, especially in multi-site WordPress environments. Disable or limit the use of the ShortPixel Adaptive Images plugin on multi-site installations if feasible until a patch is released. Monitor web application logs and user activity for unusual behavior indicative of XSS exploitation attempts. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Encourage the plugin vendor to release a security update that properly sanitizes and escapes the API URL setting input. Once available, promptly apply the patch. Additionally, consider using web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting this plugin. Educate administrators on the risks of injecting untrusted input and the importance of secure configuration.