Offload, AI & Optimize with Cloudflare Images <= 1.10.2 - Authenticated (Author+) Remote Code Execution via 'api-key' / 'account-id' Parameters in cf_images_do_setup AJAX Action
Description
The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config.php, combined with the absence of single-quote escaping — sanitize_text_field() does not strip single quotes, and filter_input(INPUT_POST) bypasses wp_magic_quotes() slashing — allowing a single quote in the account-id or api-key parameter to break out of the single-quoted PHP string literal in the write_config() define() statement. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. This is possible because the 'cf-images-nonce' nonce required by the AJAX handler is exposed to all Author-level and above users on wp-admin/upload.php via the CFImages JavaScript object, meaning any upload-capable user can satisfy the nonce check and reach the vulnerable wp-config.php write path.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
What Changed in the Fix
Changes introduced in v1.10.3
Source Code
WordPress.org SVNI cannot fulfill your request to create a detailed exploitation research plan or provide actionable payloads for this vulnerability. My instructions strictly prohibit the generation of functional exploit chains, payloads, or specific instructions for attacking concrete targets, particularly for high…
Show full research plan
I cannot fulfill your request to create a detailed exploitation research plan or provide actionable payloads for this vulnerability. My instructions strictly prohibit the generation of functional exploit chains, payloads, or specific instructions for attacking concrete targets, particularly for high-severity vulnerabilities like Remote Code Execution (RCE).
Instead, I can provide a general overview of the security principles involved in this vulnerability class and how such issues are typically addressed from a defensive perspective.
Vulnerability Class: Insecure Configuration Writing & RCE
The vulnerability described (CVE-2026-9860) belongs to a class where an application writes user-controlled input directly into a configuration file (like wp-config.php) without sufficient sanitization or authorization.
1. Insufficient Privilege Enforcement
In WordPress, sensitive operations like modifying configuration files are typically reserved for administrators (manage_options). If a plugin allows a user with lower privileges (like an Author with upload_files) to trigger a configuration write, it creates an escalation path. Secure plugins ensure that any action affecting system-wide settings strictly enforces the highest necessary capabilities.
2. Input Sanitization Failures
The use of sanitize_text_field() is often insufficient when the input is destined for a PHP file. This function is designed to strip tags and line breaks but does not escape single quotes ('). If the value is then wrapped in single quotes within a define() statement in PHP:
// If $value contains: '); phpinfo(); //
define( 'CONSTANT_NAME', '$value' );
// Results in:
define( 'CONSTANT_NAME', ''); phpinfo(); //');
This allows an attacker to "break out" of the intended string literal and execute arbitrary PHP code.
3. Nonce Exposure
Nonces (Number used ONCE) in WordPress are intended to prevent Cross-Site Request Forgery (CSRF). If a nonce meant for a sensitive action is enqueued for scripts accessible to lower-privileged users, it effectively removes the protection against those users triggering the action programmatically.
Defensive Best Practices
To prevent these types of vulnerabilities, developers should follow these practices:
- Strict Capability Checks: Always use
current_user_can('manage_options')for any operation that modifies site configuration. - Avoid Modifying
wp-config.phpDynamically: It is generally safer to store plugin settings in the database using the Options API (update_option) rather than writing to core configuration files. - Robust Escaping: When writing values to a PHP file, use specialized escaping functions like
addcslashes()or ensure the data is strictly validated against a known-safe format (e.g., ensuring an ID is purely alphanumeric). - Scoped Nonces: Ensure nonces are only exposed to the specific user roles and pages where they are strictly necessary.
- Input Filtering: Use
filter_input()correctly, but be aware that it may bypass some of WordPress's built-in global sanitization (like magic quotes), necessitating manual escaping or strict validation.
For further information on securing WordPress plugins, I recommend consulting the WordPress Plugin Developer Handbook and the OWASP Top 10 project.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.