The vulnerability arises from inadequate sanitization and escaping of the "Alternative Text" field for images in the Media Library of the Robin Image Optimizer plugin. This flaw gives an attacker the ability to inject arbitrary JavaScript that is stored and rendered whenever that image is displayed, leading to XSS attacks on visitors to webpages that use the image. The impact is primarily on confidentiality and integrity of user sessions, potentially allowing credential theft, session hijacking, or defacement within the affected site.

All WordPress sites that have the Robin Image Optimizer – Unlimited Image Optimization & WebP Converter plugin installed in versions 2.0.2 or earlier are affected. The plugin is provided by Themeisle and used to optimize images in WordPress Media Library; any user with Author or higher role who can edit images may exploit the flaw.

The vulnerability has a CVSS score of 6.4, indicating a moderate risk. The EPSS score is below 1 percent, showing a very low likelihood of exploitation at present, and it is not listed in the KEV catalog. The exploit requires an authenticated user with Author or higher privileges to edit an image’s alternative text, inject malicious code, and then have that image displayed on any page. Given the need for legitimate author access, the attack surface is limited to sites with multiple authors or where site administrators grant media editing rights to non‑admin roles.