{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3350", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-27T16:36:10.894Z", "datePublished": "2026-03-20T23:25:13.589Z", "dateUpdated": "2026-04-08T17:23:40.483Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:40.483Z"}, "affected": [{"vendor": "wpsaad", "product": "Image Alt Text Manager \u2013 Bulk & Dynamic Alt Tags For image SEO Optimization + AI", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.8.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Image Alt Text Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.2. This is due to insufficient input sanitization and output escaping when dynamically generating image alt and title attributes using a DOM parser. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Image Alt Text Manager <= 1.8.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Title", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc09377b-f30b-414b-a551-d3689ddcc5a4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/alt-manager/tags/1.8.2/inc/alm-empty-generator.php#L150"}, {"url": "https://plugins.trac.wordpress.org/browser/alt-manager/tags/1.8.2/inc/alm-empty-generator.php#L295"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3479531%40alt-manager&new=3479531%40alt-manager&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Pattama Tangpoonponwiwat"}, {"lang": "en", "type": "finder", "value": "Korn Dhampiban-udom"}], "timeline": [{"time": "2026-03-20T10:42:47.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:07:51.677244Z", "id": "CVE-2026-3350", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:55:37.554Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3350", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T15:07:51.677244Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:07:52.677Z"}}], "cna": {"title": "Image Alt Text Manager <= 1.8.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Title", "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Pattama Tangpoonponwiwat"}, {"lang": "en", "type": "finder", "value": "Korn Dhampiban-udom"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpsaad", "product": "Image Alt Text Manager \u2013 Bulk & Dynamic Alt Tags For image SEO Optimization + AI", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.8.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T10:42:47.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc09377b-f30b-414b-a551-d3689ddcc5a4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/alt-manager/tags/1.8.2/inc/alm-empty-generator.php#L150"}, {"url": "https://plugins.trac.wordpress.org/browser/alt-manager/tags/1.8.2/inc/alm-empty-generator.php#L295"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3479531%40alt-manager&new=3479531%40alt-manager&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Image Alt Text Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.2. This is due to insufficient input sanitization and output escaping when dynamically generating image alt and title attributes using a DOM parser. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:40.483Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3350", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:23:40.483Z", "dateReserved": "2026-02-27T16:36:10.894Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-20T23:25:13.589Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Image Alt Text Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.2. This is due to insufficient input sanitization and output escaping when dynamically generating image alt and title attributes using a DOM parser. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Image Alt Text Manager para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del t\u00edtulo de la publicaci\u00f3n en todas las versiones hasta la 1.8.2, inclusive. Esto se debe a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes al generar din\u00e1micamente atributos 'alt' y 'title' de imagen utilizando un analizador DOM. Esto hace posible que atacantes autenticados, con acceso de nivel Autor o superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-3350", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T00:16:27.810", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/alt-manager/tags/1.8.2/inc/alm-empty-generator.php#L150"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/alt-manager/tags/1.8.2/inc/alm-empty-generator.php#L295"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3479531%40alt-manager&new=3479531%40alt-manager&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc09377b-f30b-414b-a551-d3689ddcc5a4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Image Alt Text Manager \u2013 Bulk & Dynamic Alt Tags For image SEO Optimization + AI", "source": "cna", "vendor": "wpsaad"}, "product": "image_alt_text_manager_\u2013_bulk_&_dynamic_alt_tags_for_image_seo_optimization_+_ai", "vendor": "wpsaad"}], "analysis": {"en": {"generated_at": "2026-03-21T07:42:05.423097+00:00", "value": {"mitigation_remediation": ["Upgrade the Image Alt Text Manager plugin to a version with the XSS fix (if available).", "If no update exists, uninstall or disable the plugin until a patch is released.", "Limit or remove Author\u2011level capabilities for users who do not need to edit posts.", "Implement a site\u2011wide Content Security Policy that disallows inline scripts and restricts external script execution.", "Scan existing post titles for malicious script content and clean or delete any suspicious entries.", "Monitor site activity for signs of XSS exploitation and review logs for anomalous behavior."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting via post titles enabling arbitrary script execution on pages"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Image Alt Text Manager plugin versions up to and including 1.8.2 installed. All such sites are vulnerable regardless of the core WordPress version or other plugins. Any user with Author or higher role on the site can exploit the flaw.", "description_and_impact": "The Image Alt Text Manager plugin for WordPress allows an author\u2011level or higher authenticated user to store malicious scripts in post titles. The plugin builds image alt and title attributes through a DOM parser without sufficient input sanitization or output escaping, leading to stored XSS. This flaw holds the CWE\u201179 classification. An attacker can inject JavaScript that runs whenever any visitor loads a page containing the affected post, potentially leading to cookie theft, session hijacking, defacement, or other client\u2011side compromise.", "risk_and_exploitability": "With a CVSS score of 6.4, the vulnerability is of moderate severity. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is authenticated; an attacker must log in with Author privileges or higher to inject a malicious title. Once stored, the payload is executed immediately for every user who views the affected page, making the impact immediate and site\u2011wide. Sites with many authors and without mitigation measures face a significant risk of exploitation."}}}}, "created": "2026-03-23T09:51:35.859261+00:00", "updated": "2026-03-25T14:33:35.632994+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpsaad", "wpsaad$PRODUCT$image_alt_text_manager_\u2013_bulk_&_dynamic_alt_tags_for_image_seo_optimization_+_ai"]}