{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39665", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:59.671Z", "datePublished": "2026-04-08T08:30:37.934Z", "dateUpdated": "2026-04-08T08:30:37.934Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "seo-image", "product": "SEO Friendly Images", "vendor": "Vladimir Prelovac", "versions": [{"lessThanOrEqual": "3.0.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Steven Julian | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:41.876Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Prelovac SEO Friendly Images seo-image allows DOM-Based XSS.<p>This issue affects SEO Friendly Images: from n/a through <= 3.0.5.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Prelovac SEO Friendly Images seo-image allows DOM-Based XSS.This issue affects SEO Friendly Images: from n/a through <= 3.0.5."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:37.934Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/seo-image/vulnerability/wordpress-seo-friendly-images-plugin-3-0-5-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress SEO Friendly Images plugin <= 3.0.5 - Cross Site Scripting (XSS) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Prelovac SEO Friendly Images seo-image allows DOM-Based XSS.This issue affects SEO Friendly Images: from n/a through <= 3.0.5."}], "id": "CVE-2026-39665", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:37.743", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/seo-image/vulnerability/wordpress-seo-friendly-images-plugin-3-0-5-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "SEO Friendly Images", "source": "cna", "vendor": "Vladimir Prelovac"}, "product": "seo_friendly_images", "vendor": "vladimir_prelovac"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:34:23.514350+00:00", "value": {"mitigation_remediation": ["Upgrade the SEO Friendly Images plugin to the latest available version.", "If an upgrade cannot be performed immediately, deactivate or delete the plugin to eliminate the vulnerability.", "Apply a strong Content Security Policy to mitigate the impact of potential client\u2011side script execution."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All releases of the SEO Friendly Images plugin by Vladimir Prelovac up to and including version 3.0.5 are affected. Sites running any of these versions are vulnerable to the flaw.", "description_and_impact": "A DOM\u2011based cross\u2011site scripting flaw occurs in the SEO Friendly Images plugin for WordPress due to improper neutralization of user input when generating a web page. This issue allows malicious scripts to run in the browsers of visitors who view the affected site, potentially hijacking session cookies, defacing the site, or executing other client\u2011side attacks.", "risk_and_exploitability": "The CVE does not include a CVSS score or EPSS value, and the vulnerability is not listed by CISA in KEV. The attack appears to be a client\u2011side exploit that can be triggered by crafted input or URLs handled by the plugin, though no publicly disclosed exploits are referenced in the provided data."}}}}, "created": "2026-04-08T19:28:08.529480+00:00", "updated": "2026-04-08T19:41:11.584876+00:00", "vendors": ["vladimir_prelovac", "vladimir_prelovac$PRODUCT$seo_friendly_images", "wordpress", "wordpress$PRODUCT$wordpress"]}