Impact
The ShortPixel Image Optimizer plugin contains a PHP Object Injection flaw that allows maliciously crafted serialized PHP objects to be processed by the plugin. If an attacker can provide such objects to the plugin’s codepath, the plugin may unserialize the data without adequate validation, potentially leading to unintended execution of code embedded in the objects. The weakness is classified as CWE-502, reflecting unsafe deserialization practices. Consequently, a successful exploitation could compromise the integrity of the affected WordPress site and provide the attacker with more powerful capabilities than the plugin intended.
Affected Systems
This vulnerability affects the WordPress ShortPixel Image Optimizer plugin for all releases up to and including version 6.4.3. The plugin is widely installed on WordPress sites that automatically optimize images upon upload or during bulk processing.
Risk and Exploitability
The CVSS score of 7.2 indicates a moderate to high severity impact, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The issue is not listed in CISA’s KEV catalog. Based on the description, it can be inferred that the attack vector would involve sending a crafted serialized object to HTTP endpoints handled by the plugin, such as image upload or configuration APIs. An attacker would need a valid authenticated session with write permissions to the plugin’s settings or image library to trigger the vulnerable code path.
OpenCVE Enrichment