CVE-2026-1557

HIGH EXPLOITED NUCLEI

WP Responsive Images <=1.0 - Path Traversal

Title source: llm

Description

The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0 via the 'src' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Exploits (1)

github WORKING POC

by Sechunt3r · shellpoc

https://github.com/Sechunt3r/CVE-POCs/tree/main/CVE-2026-1557

View Code ZIP pw:eip

Nuclei Templates (1)

WP Responsive Images <= 1.0 - Arbitrary File Read

HIGHVERIFIEDby Shivam Kamboj

References (7)

[Product] https://plugins.trac.wordpress.org/browser/wp-responsive-images/tags/1.0/SBOutputFile.php#L33

[Product] https://plugins.trac.wordpress.org/browser/wp-responsive-images/tags/1.0/WPResponsiveImages.php#L265

[Product] https://plugins.trac.wordpress.org/browser/wp-responsive-images/tags/1.0/image_handler.php#L28

[Product] https://plugins.trac.wordpress.org/browser/wp-responsive-images/trunk/SBOutputFile.php#L33

[Product] https://plugins.trac.wordpress.org/browser/wp-responsive-images/trunk/WPResponsiveImages.php#L265

[Product] https://plugins.trac.wordpress.org/browser/wp-responsive-images/trunk/image_handler.php#L28

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/22c6f81b-d456-44b9-ba6c-8b207a9ee6e1?source=cve

Scores

CVSS v3 7.5

EPSS 0.2807

EPSS Percentile 96.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2026-04-02

CWE

CWE-22

Status published

Products (1)

stuartbates/WP Responsive Images < 1.0

Published Feb 26, 2026

Tracked Since Feb 26, 2026