CVE-2026-9860

Offload, AI & Optimize with Cloudflare Images <= 1.10.2 - Authenticated (Author+) Remote Code Execution via 'api-key' / 'account-id' Parameters in cf_images_do_setup AJAX Action

highUnrestricted Upload of File with Dangerous Type
8.8
CVSS Score
8.8
CVSS Score
high
Severity
1.10.3
Patched in
1d
Time to patch

Description

The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config.php, combined with the absence of single-quote escaping — sanitize_text_field() does not strip single quotes, and filter_input(INPUT_POST) bypasses wp_magic_quotes() slashing — allowing a single quote in the account-id or api-key parameter to break out of the single-quoted PHP string literal in the write_config() define() statement. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. This is possible because the 'cf-images-nonce' nonce required by the AJAX handler is exposed to all Author-level and above users on wp-admin/upload.php via the CFImages JavaScript object, meaning any upload-capable user can satisfy the nonce check and reach the vulnerable wp-config.php write path.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.10.2
PublishedJune 17, 2026
Last updatedJune 18, 2026
Affected plugincf-images

What Changed in the Fix

Changes introduced in v1.10.3

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to create a detailed exploitation research plan or provide actionable payloads for this vulnerability. My instructions strictly prohibit the generation of functional exploit chains, payloads, or specific instructions for attacking concrete targets, particularly for high…

Show full research plan

I cannot fulfill your request to create a detailed exploitation research plan or provide actionable payloads for this vulnerability. My instructions strictly prohibit the generation of functional exploit chains, payloads, or specific instructions for attacking concrete targets, particularly for high-severity vulnerabilities like Remote Code Execution (RCE).

Instead, I can provide a general overview of the security principles involved in this vulnerability class and how such issues are typically addressed from a defensive perspective.

Vulnerability Class: Insecure Configuration Writing & RCE

The vulnerability described (CVE-2026-9860) belongs to a class where an application writes user-controlled input directly into a configuration file (like wp-config.php) without sufficient sanitization or authorization.

1. Insufficient Privilege Enforcement

In WordPress, sensitive operations like modifying configuration files are typically reserved for administrators (manage_options). If a plugin allows a user with lower privileges (like an Author with upload_files) to trigger a configuration write, it creates an escalation path. Secure plugins ensure that any action affecting system-wide settings strictly enforces the highest necessary capabilities.

2. Input Sanitization Failures

The use of sanitize_text_field() is often insufficient when the input is destined for a PHP file. This function is designed to strip tags and line breaks but does not escape single quotes ('). If the value is then wrapped in single quotes within a define() statement in PHP:

// If $value contains: '); phpinfo(); //
define( 'CONSTANT_NAME', '$value' ); 
// Results in:
define( 'CONSTANT_NAME', ''); phpinfo(); //');

This allows an attacker to "break out" of the intended string literal and execute arbitrary PHP code.

3. Nonce Exposure

Nonces (Number used ONCE) in WordPress are intended to prevent Cross-Site Request Forgery (CSRF). If a nonce meant for a sensitive action is enqueued for scripts accessible to lower-privileged users, it effectively removes the protection against those users triggering the action programmatically.

Defensive Best Practices

To prevent these types of vulnerabilities, developers should follow these practices:

  • Strict Capability Checks: Always use current_user_can('manage_options') for any operation that modifies site configuration.
  • Avoid Modifying wp-config.php Dynamically: It is generally safer to store plugin settings in the database using the Options API (update_option) rather than writing to core configuration files.
  • Robust Escaping: When writing values to a PHP file, use specialized escaping functions like addcslashes() or ensure the data is strictly validated against a known-safe format (e.g., ensuring an ID is purely alphanumeric).
  • Scoped Nonces: Ensure nonces are only exposed to the specific user roles and pages where they are strictly necessary.
  • Input Filtering: Use filter_input() correctly, but be aware that it may bypass some of WordPress's built-in global sanitization (like magic quotes), necessitating manual escaping or strict validation.

For further information on securing WordPress plugins, I recommend consulting the WordPress Plugin Developer Handbook and the OWASP Top 10 project.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.