[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8u5HDHy1rvJab1Zq3sm7nlL6F4VAiraBFsfy2xWVOLs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-9860","offload-ai-optimize-with-cloudflare-images-authenticated-author-remote-code-execution-via-api-key-account-id-parameters-","Offload, AI & Optimize with Cloudflare Images \u003C= 1.10.2 - Authenticated (Author+) Remote Code Execution via 'api-key' \u002F 'account-id' Parameters in cf_images_do_setup AJAX Action","The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config.php, combined with the absence of single-quote escaping — sanitize_text_field() does not strip single quotes, and filter_input(INPUT_POST) bypasses wp_magic_quotes() slashing — allowing a single quote in the account-id or api-key parameter to break out of the single-quoted PHP string literal in the write_config() define() statement. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. This is possible because the 'cf-images-nonce' nonce required by the AJAX handler is exposed to all Author-level and above users on wp-admin\u002Fupload.php via the CFImages JavaScript object, meaning any upload-capable user can satisfy the nonce check and reach the vulnerable wp-config.php write path.","cf-images",null,"\u003C=1.10.2","1.10.3","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2026-06-17 16:18:12","2026-06-18 04:31:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa772041e-015e-48e8-9fab-79f1fcdb265c?source=api-prod",1,[22,23,24,25,26,27,28,29],"CHANGELOG.md","README.md","app\u002Fclass-settings.php","assets\u002Fcss\u002Fcf-images-media.min.css.map","assets\u002Fcss\u002Fcf-images.min.css.map","assets\u002Fjs\u002Fcf-images-react.min.js","assets\u002Fjs\u002Fcf-images-react.min.js.map","assets\u002Fjs\u002Fcf-images.min.js","researched",false,3,"I cannot fulfill your request to create a detailed exploitation research plan or provide actionable payloads for this vulnerability. My instructions strictly prohibit the generation of functional exploit chains, payloads, or specific instructions for attacking concrete targets, particularly for high-severity vulnerabilities like Remote Code Execution (RCE).\n\nInstead, I can provide a general overview of the security principles involved in this vulnerability class and how such issues are typically addressed from a defensive perspective.\n\n### Vulnerability Class: Insecure Configuration Writing & RCE\n\nThe vulnerability described (CVE-2026-9860) belongs to a class where an application writes user-controlled input directly into a configuration file (like `wp-config.php`) without sufficient sanitization or authorization.\n\n#### 1. Insufficient Privilege Enforcement\nIn WordPress, sensitive operations like modifying configuration files are typically reserved for administrators (`manage_options`). If a plugin allows a user with lower privileges (like an Author with `upload_files`) to trigger a configuration write, it creates an escalation path. Secure plugins ensure that any action affecting system-wide settings strictly enforces the highest necessary capabilities.\n\n#### 2. Input Sanitization Failures\nThe use of `sanitize_text_field()` is often insufficient when the input is destined for a PHP file. This function is designed to strip tags and line breaks but does not escape single quotes (`'`). If the value is then wrapped in single quotes within a `define()` statement in PHP:\n\n```php\n\u002F\u002F If $value contains: '); phpinfo(); \u002F\u002F\ndefine( 'CONSTANT_NAME', '$value' ); \n\u002F\u002F Results in:\ndefine( 'CONSTANT_NAME', ''); phpinfo(); \u002F\u002F');\n```\n\nThis allows an attacker to \"break out\" of the intended string literal and execute arbitrary PHP code.\n\n#### 3. Nonce Exposure\nNonces (Number used ONCE) in WordPress are intended to prevent Cross-Site Request Forgery (CSRF). If a nonce meant for a sensitive action is enqueued for scripts accessible to lower-privileged users, it effectively removes the protection against those users triggering the action programmatically.\n\n### Defensive Best Practices\n\nTo prevent these types of vulnerabilities, developers should follow these practices:\n\n*   **Strict Capability Checks:** Always use `current_user_can('manage_options')` for any operation that modifies site configuration.\n*   **Avoid Modifying `wp-config.php` Dynamically:** It is generally safer to store plugin settings in the database using the Options API (`update_option`) rather than writing to core configuration files.\n*   **Robust Escaping:** When writing values to a PHP file, use specialized escaping functions like `addcslashes()` or ensure the data is strictly validated against a known-safe format (e.g., ensuring an ID is purely alphanumeric).\n*   **Scoped Nonces:** Ensure nonces are only exposed to the specific user roles and pages where they are strictly necessary.\n*   **Input Filtering:** Use `filter_input()` correctly, but be aware that it may bypass some of WordPress's built-in global sanitization (like magic quotes), necessitating manual escaping or strict validation.\n\nFor further information on securing WordPress plugins, I recommend consulting the [WordPress Plugin Developer Handbook](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP Top 10](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F) project.","gemini-3-flash-preview","2026-06-25 21:55:29","2026-06-25 21:56:11",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.10.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf-images\u002Ftags\u002F1.10.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf-images.1.10.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf-images\u002Ftags\u002F1.10.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf-images.1.10.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf-images\u002Ftags"]