CVE-2025-6626: 
WordPress vulnerability analysis and mitigation

The ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-6626) discovered in versions up to and including 3.10.3. The vulnerability was disclosed on August 1, 2025, and affects the API URL Setting functionality (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the API URL Setting. It has been assigned a CVSS v3.1 Base Score of 4.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD, Wordfence).

The vulnerability only affects multi-site installations and installations where unfiltered_html has been disabled. When successfully exploited, it allows authenticated attackers with administrator-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page (NVD).

The vulnerability has been patched in version 3.10.5, released on August 1, 2025. Users are strongly recommended to update to this version to receive the security fix. The update includes proper sanitization of the API URL input using sanitizetextfield() function (WordPress Plugin).