Stored Cross-Site Scripting Vulnerability in ShortPixel Adaptive Images Plugin for WordPress
CVE-2025-6626
4.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 2 August 2025
What is CVE-2025-6626?
The ShortPixel Adaptive Images plugin for WordPress is vulnerable to a Stored Cross-Site Scripting flaw due to inadequate input sanitization and output escaping in the API URL Setting. This vulnerability affects all versions up to and including 3.10.3. Authenticated attackers with administrator-level access can exploit this weakness to inject malicious web scripts into pages. The harmful scripts will execute whenever a user accesses these compromised pages, posing a significant risk especially in multi-site installations or when unfiltered_html functionality is disabled.
Affected Version(s)
ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization * <= 3.10.4