CVE-2026-1557 is a path traversal vulnerability identified in the WP Responsive Images plugin for WordPress, maintained by stuartbates. The vulnerability exists in all versions up to and including 1.0 and is triggered via the 'src' parameter. Due to improper validation and limitation of the pathname input (classified under CWE-22), an attacker can manipulate the 'src' parameter to traverse directories and access arbitrary files on the hosting server. This flaw does not require any authentication or user interaction, making it remotely exploitable over the network. The vulnerability allows attackers to read sensitive files such as configuration files, credentials, or other private data stored on the server, potentially leading to further compromise. The CVSS v3.1 base score is 7.5, reflecting a high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although there are no known exploits in the wild at the time of publication, the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin's unrestricted file access. The lack of an official patch at the time of reporting increases the urgency for organizations to implement alternative mitigations.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information stored on the web server hosting the vulnerable WordPress plugin. Attackers can read arbitrary files, which may include database credentials, API keys, private configuration files, or other sensitive data. This can lead to further attacks such as privilege escalation, data breaches, or full system compromise if attackers leverage the disclosed information. The vulnerability does not directly allow modification or deletion of files, but the confidentiality breach alone can have severe consequences for organizations, including regulatory non-compliance, reputational damage, and financial loss. Since the exploit requires no authentication and no user interaction, the attack surface is broad, affecting any publicly accessible WordPress site using the plugin. The impact is especially critical for organizations relying on WordPress for business-critical websites or handling sensitive user data.

1. Immediately disable or uninstall the WP Responsive Images plugin until a secure patch is released. 2. If disabling the plugin is not feasible, restrict access to the vulnerable functionality by implementing web application firewall (WAF) rules that block requests containing suspicious 'src' parameter values indicative of path traversal attempts (e.g., '../'). 3. Harden server file permissions to limit the web server's ability to read sensitive files outside the intended directories. 4. Monitor web server logs for unusual access patterns targeting the 'src' parameter or attempts to access sensitive files. 5. Keep WordPress core, plugins, and themes updated regularly and subscribe to vulnerability advisories for timely patching. 6. Consider deploying runtime application self-protection (RASP) solutions that can detect and block path traversal attacks in real-time. 7. Conduct security audits and penetration testing focused on file inclusion and path traversal vulnerabilities to identify similar issues proactively.