CVE-2026-39665

Vulnerability

Overview

The SEO Friendly Images plugin for WordPress (slug: seo-image) versions up to and including 3.0.5 contains a DOM-Based Cross-Site Scripting (XSS) vulnerability [1]. The root cause is improper neutralization of user-supplied input during web page generation, which enables an attacker to inject arbitrary JavaScript into the DOM of a victim's browser [1].

Exploitation

Details

Exploitation requires user interaction — a privileged user (e.g., an administrator) must click a malicious link, visit a crafted page, or submit a specially prepared form [1]. The attack is DOM-based, meaning the payload is executed client-side without being stored on the server, making it harder to detect via traditional server-side scanning [1]. No authentication is required beyond the victim's existing session is needed for the attacker to deliver the payload.

Impact

Successful exploitation allows an attacker to inject malicious scripts, redirects, advertisements, or other HTML payloads into the website [1]. These scripts execute in the context of the victim's browser when they visit the affected site, potentially leading to session hijacking, defacement, or phishing attacks [1]. The vulnerability is actively used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Mitigation

The vendor has not released a patched version; users are advised to update the plugin immediately if a fix becomes available [1]. As a workaround, site administrators should restrict access to the plugin settings, apply a Web Application Firewall (WAF) rule to filter XSS payloads, or consider disabling the plugin until a patch is released [1]. The CVSS v3 base score is 6.5 (Medium), reflecting the need for user interaction and the potential for significant impact [1].