Attack Vectors

CVE-2026-3350 is a Medium-severity (CVSS 6.4) stored cross-site scripting (XSS) issue affecting Image Alt Text Manager – Bulk & Dynamic Alt Tags For image SEO Optimization + AI (WordPress plugin slug: alt-manager) in versions 1.8.2 and earlier.

The attack requires an authenticated WordPress user with Author-level access or higher. A malicious (or compromised) Author can inject script content through a post title, which may then execute when other users view affected pages where the plugin dynamically generates image alt and title attributes.

Security Weakness

The vulnerability is caused by insufficient input sanitization and output escaping when the plugin uses a DOM parser to dynamically generate image alt and title attributes based on content such as the post title. Because the injected content is stored and later rendered to visitors or logged-in users, the attack persists until the content is cleaned up.

This matters from a governance perspective because marketing and content workflows often grant Author access to multiple team members, contractors, or agencies—expanding the number of accounts that could be abused if credentials are stolen or misused.

Technical or Business Impacts

A successful stored XSS attack can allow script execution in a victim’s browser when viewing an impacted page. Depending on who views the page (editors, administrators, customers, partners), this can lead to outcomes such as unauthorized actions performed in the user’s session, content manipulation, or theft of session data. While this CVSS rating is Medium, the business impact can be significant if the affected pages are high-traffic landing pages or campaign content.

From a business-risk standpoint, potential impacts include brand damage (malicious redirects or defacement), loss of marketing performance (broken landing pages, reduced conversion trust), and compliance concerns if user data or authenticated sessions are exposed. This is especially relevant for organizations with regulated operations or strict internal controls over web content changes.

Remediation: Update Image Alt Text Manager to version 1.8.3 or newer (patched). After updating, review recent posts (especially those created/edited by Author accounts) for unexpected or suspicious titles, and consider tightening role permissions and enforcing MFA for content teams.

Reference: CVE-2026-3350 and Wordfence advisory source: Wordfence Vulnerability Intelligence.

Similar Attacks

Stored XSS in CMS platforms and plugins is a recurring pattern because it often arises from inconsistent sanitization/escaping of content fields that get reused across templates and attributes:

CVE-2015-3440 (WordPress) – a stored XSS issue in WordPress core fixed in a security release, demonstrating how persistent script injection can impact visitors and administrators when malicious content is rendered.