CVE-2026-1557

High

Published: 26 February 2026

Published

26 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.2889 96.6th percentile

Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1557 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the path traversal flaw in the WP Responsive Images plugin by identifying, reporting, and applying patches or updates.

SI-10 Information Input Validation good match

prevent

Validates the 'src' parameter to reject path traversal sequences like '../', preventing unauthenticated arbitrary file reads.

AC-3 Access Enforcement partial match

prevent

Enforces access control policies to restrict the plugin's ability to read files outside intended directories, limiting exposure of sensitive information.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Path traversal enables arbitrary local file reads (T1005, T1552.001) on a public-facing WordPress plugin (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0 via the 'src' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the…

server, which can contain sensitive information.

Deeper analysisAI

CVE-2026-1557 is a path traversal vulnerability (CWE-22) in the WP Responsive Images plugin for WordPress, affecting all versions up to and including 1.0. The issue arises in the handling of the 'src' parameter, which allows unauthenticated attackers to read the contents of arbitrary files on the server, potentially exposing sensitive information. Published on 2026-02-26, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact with no requirements for privileges or user interaction.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity by manipulating the 'src' parameter to traverse directories and access files outside the intended path. Exploitation enables retrieval of sensitive server files, such as configuration data or other confidential content, without impacting integrity or availability.

References point to specific vulnerable code locations in the plugin, including line 33 of SBOutputFile.php, line 265 of WPResponsiveImages.php, and line 28 of image_handler.php in both the 1.0 tag and trunk versions.