Description
Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions.
Published: 2026-06-15
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ShortPixel Image Optimizer plugin contains a PHP Object Injection flaw that allows maliciously crafted serialized PHP objects to be processed by the plugin. If an attacker can provide such objects to the plugin’s codepath, the plugin may unserialize the data without adequate validation, potentially leading to unintended execution of code embedded in the objects. The weakness is classified as CWE-502, reflecting unsafe deserialization practices. Consequently, a successful exploitation could compromise the integrity of the affected WordPress site and provide the attacker with more powerful capabilities than the plugin intended.

Affected Systems

This vulnerability affects the WordPress ShortPixel Image Optimizer plugin for all releases up to and including version 6.4.3. The plugin is widely installed on WordPress sites that automatically optimize images upon upload or during bulk processing.

Risk and Exploitability

The CVSS score of 7.2 indicates a moderate to high severity impact, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The issue is not listed in CISA’s KEV catalog. Based on the description, it can be inferred that the attack vector would involve sending a crafted serialized object to HTTP endpoints handled by the plugin, such as image upload or configuration APIs. An attacker would need a valid authenticated session with write permissions to the plugin’s settings or image library to trigger the vulnerable code path.

Generated by OpenCVE AI on June 17, 2026 at 23:02 UTC.

Remediation

Vendor Solution

Update the WordPress ShortPixel Image Optimizer Plugin to the latest available version (at least 6.4.4).


OpenCVE Recommended Actions

  • Upgrade the ShortPixel Image Optimizer plugin to version 6.4.4 or later.
  • If an immediate update cannot be performed, temporarily disable the plugin until the fix is applied.
  • Restrict access to the plugin’s administration pages to trusted administrators only, ensuring that only authorized users can trigger image optimization functions.

Generated by OpenCVE AI on June 17, 2026 at 23:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Shortpixel
Shortpixel shortpixel Image Optimizer
Wordpress
Wordpress wordpress
Vendors & Products Shortpixel
Shortpixel shortpixel Image Optimizer
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions.
Title WordPress ShortPixel Image Optimizer plugin <= 6.4.3 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Shortpixel Shortpixel Image Optimizer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T22:16:38.626Z

Reserved: 2026-04-07T10:41:57.169Z

Link: CVE-2026-39471

cve-icon Vulnrichment

Updated: 2026-06-15T22:16:34.780Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:43.860

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-39471

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T23:15:14Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data