The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
Description
The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
AI Analyst Comment
Remediation
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
---METADATA---
VENDOR: WordPress
PRODUCT: Offload, AI & Optimize with Cloudflare Images
AFFECTED_VERSIONS: <= 1
---END_METADATA---
Description Summary:
The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is susceptible to Remote Code Execution due to insufficient input validation.
Executive Summary:
A critical Remote Code Execution vulnerability in the Offload, AI & Optimize with Cloudflare Images plugin allows attackers to gain full control over the WordPress server.
Vulnerability Details
CVE-ID: CVE-2026-9860
Affected Software: WordPress Offload, AI & Optimize with Cloudflare Images Plugin
Affected Versions: <= 1
Vulnerability: The plugin fails to validate user input correctly, allowing for the execution of arbitrary code on the underlying server. This vulnerability effectively permits an attacker to bypass standard WordPress application controls and execute commands at the web server's privilege level.
Business Impact
With a CVSS score of 8.8, this represents a critical threat. Remote Code Execution (RCE) is one of the most severe vulnerability types, as it allows attackers to install persistent backdoors, deploy ransomware, or exfiltrate the entirety of the application's environment.
Remediation Plan
Immediate Action: Update the plugin to the latest version immediately or remove it from the environment if no patch is available.
Proactive Monitoring: Perform integrity checks on the web server files and monitor for unusual outbound network traffic indicating a reverse shell or command-and-control communication.
Compensating Controls: Implement strict file permission policies and disable the ability for the web server to execute commands in sensitive directories.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of June 18, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
The risk posed by RCE vulnerabilities is extreme. Organizations utilizing this plugin must take immediate action to patch or remove the affected software to prevent a full-scale compromise of their web infrastructure.