Offload, AI & Optimize with Cloudflare Images <= 1.10.2 - Authenticated (Author+) Remote Code Execution via 'api-key' / 'account-id' Parameters in cf_images_do_setup AJAX Action

An authenticated attacker with Author-level access (or higher) can craft a POST request to the `cf_images_do_setup` AJAX action. The `cf-images-nonce` nonce is available to any user who can access `wp-admin/upload.php`, so the nonce check is trivially satisfied. The handler uses `sanitize_text_field()` on the `account-id` parameter, which does not strip single quotes, and reads the input via `filter_input(INPUT_POST)`, bypassing WordPress's `wp_magic_quotes()` slashing. By injecting a single quote into the `account-id` value, the attacker can break out of the single-quoted PHP string literal inside the `define()` statement written to `wp-config.php`, achieving arbitrary PHP code execution on the server.

The vulnerability resides in the `cf_images_do_setup` AJAX handler, which writes user-supplied `account-id` and `api-key` values into `wp-config.php` via a `define()` statement. The handler is registered in the plugin's setup/configuration code (not shown in the truncated `class-media.php` excerpt, but referenced in the advisory). The nonce required for the AJAX call is exposed to all Author-level users on `wp-admin/upload.php` through the `CFImages` JavaScript object in `Media::enqueue_scripts()` (line 94 of `class-media.php`).

The advisory does not include a patch diff, but the recommended remediation is to enforce the `manage_options` capability on the `cf_images_do_setup` AJAX handler (restricting it to administrators) and to escape single quotes or use a safer method for writing configuration values to `wp-config.php`. Without these changes, any Author-level user can inject arbitrary PHP code into the configuration file.