Cyber Resilience

CVE-2026-1557

High

Published: 26 February 2026

Published
26 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.2889 96.7th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1557 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The WP Responsive Images plugin for WordPress is vulnerable to path traversal in all versions through 1.0. The flaw exists in the handling of the 'src' parameter within files such as SBOutputFile.php and WPResponsiveImages.php, allowing direct access to arbitrary server paths.

Unauthenticated attackers can exploit the issue over the network by submitting crafted requests that traverse directories and retrieve file contents. Successful exploitation yields high-impact disclosure of sensitive information stored on the server while leaving integrity and availability unaffected, consistent with the CVSS 7.5 rating and CWE-22 classification.

The supplied references point only to the vulnerable plugin source on WordPress Trac and contain no advisory or patch details. The EPSS score has remained in the 0.29–0.32 range without a pronounced rise from a low baseline.

EU & UK References

Vulnerability details

The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0 via the 'src' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the…

more

server, which can contain sensitive information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Path traversal enables arbitrary local file reads (T1005, T1552.001) on a public-facing WordPress plugin (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2022-50992Shared CWE-22
CVE-2026-32847Shared CWE-22
CVE-2026-30869Shared CWE-22
CVE-2026-35615Shared CWE-22
CVE-2026-33077Shared CWE-22
CVE-2026-27305Shared CWE-22
CVE-2026-30403Shared CWE-22
CVE-2020-36939Shared CWE-22
CVE-2025-10897Shared CWE-22
CVE-2026-28679Shared CWE-22

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the path traversal flaw in the WP Responsive Images plugin by identifying, reporting, and applying patches or updates.

prevent

Validates the 'src' parameter to reject path traversal sequences like '../', preventing unauthenticated arbitrary file reads.

prevent

Enforces access control policies to restrict the plugin's ability to read files outside intended directories, limiting exposure of sensitive information.

References