CVE-2026-3350 in Image Alt Text Manager Plugin
Summary
by MITRE • 03/21/2026
The Image Alt Text Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.2. This is due to insufficient input sanitization and output escaping when dynamically generating image alt and title attributes using a DOM parser. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The Image Alt Text Manager plugin for WordPress presents a critical stored cross-site scripting vulnerability that affects all versions up to and including 1.8.2. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's implementation of DOM parsing for dynamically generating image alt and title attributes. The flaw specifically manifests when processing post titles that contain malicious script content, allowing attackers to inject persistent malicious code into the plugin's processing pipeline. The vulnerability is particularly concerning because it requires only author-level privileges to exploit, making it accessible to users who can create and edit posts within the WordPress environment. This low privilege requirement significantly increases the attack surface and potential impact of the vulnerability.
The technical implementation of this vulnerability involves the plugin's use of DOM parsers to extract and manipulate image attributes from post content. When post titles contain malicious script payloads, these inputs are not properly sanitized before being processed through the DOM parsing functions. The lack of proper output escaping means that any malicious content injected into the alt or title attributes gets rendered directly into the HTML output without appropriate encoding or filtering. This creates a persistent XSS vector where the malicious scripts are stored in the database and executed whenever any user views pages containing the compromised content. The vulnerability is classified under CWE-79 as a failure to sanitize or incorrectly sanitizing output, which allows an attacker to inject malicious code that executes in the context of the victim's browser.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform various malicious activities including session hijacking, credential theft, and data exfiltration. An authenticated attacker with author privileges can inject scripts that target other users with higher privileges, potentially escalating their access level within the WordPress environment. The stored nature of the vulnerability means that the malicious payloads persist in the database and execute every time the affected pages are loaded, creating a continuous threat vector. This vulnerability aligns with ATT&CK technique T1566.001 for phishing with malicious attachments and T1566.002 for spearphishing with malicious links, as attackers can craft malicious posts that appear legitimate to other users. The impact is particularly severe in multi-user WordPress environments where authors may have access to sensitive content or administrative functions.
Mitigation strategies for this vulnerability should focus on immediate patching of the Image Alt Text Manager plugin to the latest version that addresses the XSS flaw. Administrators should implement strict input validation and output escaping for all user-supplied content, particularly in fields used for generating HTML attributes. The WordPress security team recommends that all users update to the patched version immediately and review the plugin's settings to ensure that proper sanitization is applied to all dynamic content generation. Additional protective measures include implementing content security policies to prevent execution of unauthorized scripts and monitoring user activity for suspicious posting patterns. Organizations should also consider restricting author privileges to only those users who absolutely require them, reducing the attack surface for potential XSS exploitation. Regular security audits of WordPress plugins and themes should be conducted to identify similar vulnerabilities in other components of the WordPress ecosystem, as this type of input sanitization failure is commonly found in poorly implemented web applications.