Stored Cross-Site Scripting in Image Source Control Lite Plugin for WordPress
CVE-2026-4852

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Image Source Control Lite – Show Image Credits And Captions
Vendor: CVE Published:; 20 April 2026

What is CVE-2026-4852?

The Image Source Control Lite plugin for WordPress suffers from a vulnerability that allows authenticated attackers with Author-level access and above to inject malicious web scripts through the 'Image Source' attachment field. This issue arises from inadequate input sanitization and output escaping, potentially exposing users to executed scripts whenever they access an affected page. This vulnerability impacts all versions up to and including 3.9.1, necessitating urgent updates to mitigate security risks.

Affected Version(s)

Image Source Control Lite – Show Image Credits and Captions 0 <= 3.9.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/image-source-c...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Mar 25, 2026

Credit

Athiwat Tiprasaharn

Vilaysone CHANTHAVONG

CVE-2026-4852 Data

JSON