A vulnerability classified as critical was found in vanyukov Offload, AI & Optimize with Cloudflare Images cf-images Plugin up to 1.10.2 on WordPress. Affected is the function sanitize_text_field of the file wp-config.php . The manipulation of the argument account-id results in unrestricted upload. This vulnerability is reported as CVE-2026-9860 . The attack can be launched remotely. No exploit exists.