cbcvebase.
CVE-2026-1557
published 2026-02-26

CVE-2026-1557: The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0 via the 'src' parameter. This makes it…

PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.72%
74.6th percentile
The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0 via the 'src' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Affected

1 ranges
VendorProductVersion rangeFixed in
stuartbateswp_responsive_images<= 1.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-content/plugins/wp-responsive-images/image_handler.php?src=/wp-config.php
path/wp-content/plugins/wp-responsive-images/image_handler.php
  • Detect unauthenticated GET requests to image_handler.php with a 'src' parameter containing path traversal sequences or absolute paths (e.g., /wp-config.php). A successful exploit response body will contain both 'DB_NAME' and 'DB_PASSWORD'.
  • Response body containing both 'DB_NAME' and 'DB_PASSWORD' strings indicates successful arbitrary file read of wp-config.php via this vulnerability.
  • The vulnerable parameter is 'src' in the image_handler.php script of the WP Responsive Images plugin (versions <= 1.0). No authentication is required to exploit this path traversal.
  • ·The Nuclei template matcher accepts HTTP 200 OR 403 status codes as a match condition, meaning a 403 response alone does not confirm exploitation — body content ('DB_NAME' and 'DB_PASSWORD') must also be present to confirm a true positive.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.