Description
The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the `receive_heartbeat()` function in `includes/class-wp-optimize-heartbeat.php` in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly invoking `Updraft_Smush_Manager_Commands` methods without verifying user capabilities, nonce tokens, or the allowed commands whitelist that the normal AJAX handler (`updraft_smush_ajax`) enforces. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-only Smush operations including reading log files (`get_smush_logs`), deleting all backup images (`clean_all_backup_images`), triggering bulk image processing (`process_bulk_smush`), and modifying Smush options (`update_smush_options`).
Published: 2026-04-10
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized admin‑level operations via heartbeat endpoint
Action: Apply Patch
AI Analysis

Impact

The WP‑Optimize plugin contains a missing capability check in the receive_heartbeat() handler. This allows any authenticated user with a role of Subscriber or higher to invoke smush functions that normally require administrator privileges. Through accepted heartbeat requests, an attacker can read smush logs, delete all backup images, trigger bulk image processing, or modify smush options, potentially causing data loss or denial of service for the media library.

Affected Systems

WordPress sites running the WP‑Optimize plugin version 4.5.0 or earlier, developed by David Anderson. Any installation with the plugin activated and where a Subscriber role is present is susceptible.

Risk and Exploitability

The CVSS score is 5.4, indicating medium severity. No EPSS data is available and the issue is not listed in the CISA KEV catalog. An attacker only needs an authenticated account with Subscriber or higher privileges to exploit the flaw; no additional conditions are required. The risk is that malicious users could alter site content or deplete server resources through excessive image processing. While the impact is bounded to the permissions of the authenticated user, the potential for media loss or service disruption makes timely remediation important.

Generated by OpenCVE AI on April 10, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP‑Optimize to the latest release, which restores proper capability checks.
  • If an upgrade is not immediately possible, disable the plugin’s heartbeat integration or remove the receive_heartbeat hook to block the vulnerable endpoint.
  • Restrict or remove the Subscriber role when it is not necessary, ensuring only administrators can perform smush operations.
  • Monitor site logs for unexpected smush activity and verify media integrity after incidents.

Generated by OpenCVE AI on April 10, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Davidanderson
Davidanderson wp-optimize – Cache, Compress Images, Minify & Clean Database To Boost Page Speed & Performance
Wordpress
Wordpress wordpress
Vendors & Products Davidanderson
Davidanderson wp-optimize – Cache, Compress Images, Minify & Clean Database To Boost Page Speed & Performance
Wordpress
Wordpress wordpress

Fri, 10 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the `receive_heartbeat()` function in `includes/class-wp-optimize-heartbeat.php` in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly invoking `Updraft_Smush_Manager_Commands` methods without verifying user capabilities, nonce tokens, or the allowed commands whitelist that the normal AJAX handler (`updraft_smush_ajax`) enforces. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-only Smush operations including reading log files (`get_smush_logs`), deleting all backup images (`clean_all_backup_images`), triggering bulk image processing (`process_bulk_smush`), and modifying Smush options (`update_smush_options`).
Title WP-Optimize <= 4.5.0 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update and Image Manipulation
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Davidanderson Wp-optimize – Cache, Compress Images, Minify & Clean Database To Boost Page Speed & Performance
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-10T13:46:16.718Z

Reserved: 2026-02-18T20:31:43.704Z

Link: CVE-2026-2712

cve-icon Vulnrichment

Updated: 2026-04-10T13:46:12.357Z

cve-icon NVD

Status : Received

Published: 2026-04-10T02:16:02.913

Modified: 2026-04-10T02:16:02.913

Link: CVE-2026-2712

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:13Z

Weaknesses