A highly dangerous remote code execution (RCE) vulnerability (CVE-2026-9860) has been reported in the prominent WordPress plugin 'Offload, AI & Optimize with Cloudflare Images'. This vulnerability affects all versions 1.10.2 and earlier, potentially allowing an attacker with authenticated author privileges to execute arbitrary PHP code on the server. This could lead to a complete compromise of the site, thus developers are strongly advised to update the plugin to the latest version immediately.
Vulnerability Overview and Scope of Impact
CVE-2026-9860 stems from improper permission validation and a lack of input sanitization in the plugin's `cf_images_do_setup` AJAX handler. This handler allowed writing to `wp-config.php`, which should typically require administrator privileges, to be performed with `upload_files` privileges (author role or higher). Furthermore, insufficient escaping of single quotes in the `account-id` and `api-key` parameters allows attackers to escape PHP string literals and inject arbitrary PHP code into `wp-config.php`.
Specific Impacts and Attack Scenarios
Attackers can exploit this vulnerability by obtaining an account with author privileges or higher on a WordPress site. By sending a request containing malicious `account-id` or `api-key` parameters, they can write unauthorized code to the `wp-config.php` file. This could lead to severe consequences such as backdoor installation, theft of sensitive information, alteration of site content, and even complete server compromise. Particularly on sites where multiple users post content, the risk of insider threat should also be considered.
Actions Engineers Should Take Immediately
To ensure site security, please implement the following measures immediately.
1. **Prioritize Plugin Update**: Immediately update the 'Offload, AI & Optimize with Cloudflare Images' plugin to a version where the vulnerability has been fixed (newer than 1.10.2). You can update to the latest version via the WordPress dashboard or by downloading from the official plugin directory and updating manually.
2. **Strengthen `wp-config.php` Protection**: Restrict web access to the `wp-config.php` file and strictly enforce file permission settings to prevent unauthorized writing. Below is an example of `.htaccess` protection.
<Files wp-config.php>
Order allow,deny
Deny from all
</Files>If you are using Nginx, add the following configuration to your web server configuration file.
location ~* /(wp-config\.php|\.htaccess)$ {
deny all;
}3. **Implement WAF (Web Application Firewall)**: To block malicious requests, implement a WAF or review its existing configuration.
4. **Monitor for Suspicious Activity**: Regularly check server logs and WordPress activity logs, and strengthen monitoring for changes to `wp-config.php` or suspicious file uploads.
5. **Principle of Least Privilege**: Strictly review WordPress user permissions and ensure only the absolute minimum necessary privileges are granted.
📦