CVE-2026-1557
Published: 26 February 2026
Summary
CVE-2026-1557 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The WP Responsive Images plugin for WordPress is vulnerable to path traversal in all versions through 1.0. The flaw exists in the handling of the 'src' parameter within files such as SBOutputFile.php and WPResponsiveImages.php, allowing direct access to arbitrary server paths.
Unauthenticated attackers can exploit the issue over the network by submitting crafted requests that traverse directories and retrieve file contents. Successful exploitation yields high-impact disclosure of sensitive information stored on the server while leaving integrity and availability unaffected, consistent with the CVSS 7.5 rating and CWE-22 classification.
The supplied references point only to the vulnerable plugin source on WordPress Trac and contain no advisory or patch details. The EPSS score has remained in the 0.29–0.32 range without a pronounced rise from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8805
Vulnerability details
The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0 via the 'src' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the…
more
server, which can contain sensitive information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables arbitrary local file reads (T1005, T1552.001) on a public-facing WordPress plugin (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the path traversal flaw in the WP Responsive Images plugin by identifying, reporting, and applying patches or updates.
Validates the 'src' parameter to reject path traversal sequences like '../', preventing unauthenticated arbitrary file reads.
Enforces access control policies to restrict the plugin's ability to read files outside intended directories, limiting exposure of sensitive information.