Image Alt Text Manager < 1.8.3 – Authenticated (Author+) Stored Cross-Site Scripting via Post Title | CVE 2026-3350 | Plugin Vulnerabilities

Description

The Image Alt Text Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.2. This is due to insufficient input sanitization and output escaping when dynamically generating image alt and title attributes using a DOM parser. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Fixed in 1.8.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/cc09377b-f30b-414b-a551-d3689ddcc5a4

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Itthidej Aramsri (Boeing777), Pattama Tangpoonponwiwat (Kwan), Korn Dhampiban-udom (TayR-D)

Verified

No

WPVDB ID

1a3fb52f-8782-4040-a253-5fbd448c2a3e

Timeline

Publicly Published

2026-03-20 (about 2 months ago)

Added

2026-03-20 (about 2 months ago)

Last Updated

2026-03-20 (about 2 months ago)

Other

Published

Title

Published

2025-02-17

Title

Online Payments – Get Paid with PayPal, Square & Stripe < 3.30.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-06-27

Title

Permalink Manager Lite < 2.4.3.4 - Reflected Cross-Site Scripting

Published

2024-10-31

Title

(dp) AddThis <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-03-29

Title

BoldGrid Easy SEO – Simple and Effective SEO < 1.6.14 - Authenticated(Contributor+) Stored Cross-Site Scripting via Meta Description

Published

2021-09-27

Title

WooCommerce Product Table Lite < 2.4.0 - Reflected Cross-Site Scripting