WordPress ImageRecycle pdf & image compression Plugin <= 3.1.10 is vulnerable to Cross Site Scripting (XSS)
Description
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ImageRecycle ImageRecycle pdf & image compression plugin <= 3.1.10 versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated Reflected XSS in ImageRecycle pdf & image compression plugin <=3.1.10 allows arbitrary script execution in victim's browser.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in the ImageRecycle pdf & image compression plugin for WordPress versions 3.1.10 and earlier [1]. The vulnerability is triggered via user-supplied input that is not properly sanitized before being reflected back to the user, allowing an attacker to inject arbitrary JavaScript code.
Exploitation
An attacker can exploit this vulnerability without authentication by crafting a malicious URL containing the XSS payload. The victim must be tricked into clicking the link or visiting the crafted URL while logged into WordPress, causing the malicious script to execute in the context of the victim's session.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, data theft, or defacement of the WordPress admin interface, as the script runs with the victim's privileges.
Mitigation
Upgrade to version 3.1.11 or later (currently 3.1.18) to mitigate the vulnerability [1]. No workaround is available without updating the plugin.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=3.1.10
- Range: n/a
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.