WordPress ImageRecycle pdf & image compression Plugin <= 3.1.11 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability exists in the ImageRecycle pdf & image compression plugin for WordPress versions up to and including 3.1.11. The flaw occurs when user-supplied input is not properly sanitized before being reflected back in the response, allowing an attacker to inject malicious JavaScript. No authentication is required to exploit this vulnerability.

Exploitation

An attacker can craft a malicious URL containing the XSS payload and trick a logged-in WordPress administrator or any user into clicking it. The payload executes in the context of the victim's browser session. No special network position or prior authentication is needed; the attack is purely client-side and relies on social engineering.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement of the WordPress admin interface, theft of sensitive information (e.g., cookies, nonces), or further actions on behalf of the victim user within the WordPress instance.

Mitigation

The vulnerability is fixed in version 3.1.12 and later. Users should update to the latest version (3.1.18 as of this writing) available from the WordPress plugin repository [1]. No workarounds are documented; updating the plugin is the recommended mitigation.