Description
The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment.
Published: 2026-03-26
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

ShortPixel Image Optimizer for WordPress contains a stored cross‑site scripting flaw that allows an authenticated user with Author-level access or higher to insert malicious JavaScript into an attachment title. When a higher‑privileged user opens the ShortPixel AI editor popup for that attachment, the vulnerability causes the script to execute in the victim’s browser, compromising the confidentiality or integrity of the browser session.

Affected Systems

This issue affects WordPress installations running ShortPixel Image Optimizer version 6.4.3 or any earlier release. Sites that use the plugin for image optimization, WebP/AVIF conversion, or background removal are vulnerable if the plugin has not been updated beyond the affected versions.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the vulnerability is not listed in CISA’s KEV catalog. EPSS data is currently unavailable. The likely attack vector is through the WordPress REST API, as authors can set arbitrary attachment titles that break out of an HTML attribute; this inference follows the description that the flaw is triggered by a crafted post_title. Exploitation requires the attacker to possess Author or higher privileges to create or modify an attachment and relies on the target user opening the editor popup to trigger the injected script.

Generated by OpenCVE AI on March 26, 2026 at 04:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ShortPixel Image Optimizer to the most recent release that addresses the stored XSS flaw.
  • After the upgrade, verify that the editor popup no longer renders unescaped attachment titles by testing with a sample attachment title containing special characters.
  • If a newer patch is not yet available, consider disabling the ShortPixel plugin or removing the affected attachment until a fix is released.

Generated by OpenCVE AI on March 26, 2026 at 04:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Shortpixel
Shortpixel shortpixel Image Optimizer – Optimize Images, Convert Webp & Avif
Wordpress
Wordpress wordpress
Vendors & Products Shortpixel
Shortpixel shortpixel Image Optimizer – Optimize Images, Convert Webp & Avif
Wordpress
Wordpress wordpress

Thu, 26 Mar 2026 03:45:00 +0000

Type Values Removed Values Added
Description The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment.
Title ShortPixel Image Optimizer <= 6.4.3 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Shortpixel Shortpixel Image Optimizer – Optimize Images, Convert Webp & Avif
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:25.085Z

Reserved: 2026-03-17T14:15:42.197Z

Link: CVE-2026-4335

cve-icon Vulnrichment

Updated: 2026-03-26T17:48:39.486Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T04:17:12.810

Modified: 2026-03-30T13:26:50.827

Link: CVE-2026-4335

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:08:45Z

Weaknesses