CVE-2026-8622: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pixelwelt Image Sizes on Demand
The Image Sizes on Demand plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Server Variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The injected payload only executes in the context of an administrator, as the settings page requires the manage_options capability to render.
AI Analysis
Technical Summary
CVE-2026-8622 is a reflected cross-site scripting vulnerability in the Image Sizes on Demand WordPress plugin (pixelwelt) affecting all versions up to and including 1.3. The vulnerability stems from improper neutralization of input in the PHP_SELF server variable, allowing injection of arbitrary web scripts. Exploitation requires tricking an administrator into clicking a malicious link, leading to script execution in the administrator's context on the plugin's settings page. The vulnerability is classified as CWE-79 and has a CVSS 3.1 base score of 6.1 (medium severity). No official patch or remediation has been disclosed as of the publication date.
Potential Impact
An attacker can perform reflected XSS attacks by injecting malicious scripts that execute with administrator privileges when the administrator accesses the plugin's settings page. This can lead to limited confidentiality and integrity impacts, such as theft of admin session tokens or manipulation of plugin settings. There is no direct impact on availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should avoid clicking untrusted links that could exploit this vulnerability. Monitoring vendor channels for an official update or patch is recommended.
CVE-2026-8622: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pixelwelt Image Sizes on Demand
Description
The Image Sizes on Demand plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Server Variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The injected payload only executes in the context of an administrator, as the settings page requires the manage_options capability to render.
CVSS v3.1
Score 6.1medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-8622 is a reflected cross-site scripting vulnerability in the Image Sizes on Demand WordPress plugin (pixelwelt) affecting all versions up to and including 1.3. The vulnerability stems from improper neutralization of input in the PHP_SELF server variable, allowing injection of arbitrary web scripts. Exploitation requires tricking an administrator into clicking a malicious link, leading to script execution in the administrator's context on the plugin's settings page. The vulnerability is classified as CWE-79 and has a CVSS 3.1 base score of 6.1 (medium severity). No official patch or remediation has been disclosed as of the publication date.
Potential Impact
An attacker can perform reflected XSS attacks by injecting malicious scripts that execute with administrator privileges when the administrator accesses the plugin's settings page. This can lead to limited confidentiality and integrity impacts, such as theft of admin session tokens or manipulation of plugin settings. There is no direct impact on availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should avoid clicking untrusted links that could exploit this vulnerability. Monitoring vendor channels for an official update or patch is recommended.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-14T18:40:57.242Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3b7812eed863c81e5f72c6
Added to database: 06/24/2026, 06:24:18 UTC
Last enriched: 06/24/2026, 06:54:27 UTC
Last updated: 06/24/2026, 19:11:44 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.