{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4335", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-17T14:15:42.197Z", "datePublished": "2026-03-26T02:25:20.157Z", "dateUpdated": "2026-03-26T02:25:20.157Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-26T02:25:20.157Z"}, "affected": [{"vendor": "shortpixel", "product": "ShortPixel Image Optimizer \u2013 Optimize Images, Convert WebP & AVIF", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "6.4.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment."}], "title": "ShortPixel Image Optimizer <= 6.4.3 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a156234f-2644-4d17-aaa5-4f088cf48f73?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/trunk/class/view/snippets/media-popup.php#L139"}, {"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.3/class/view/snippets/media-popup.php#L139"}, {"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/trunk/class/Controller/AjaxController.php#L449"}, {"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.3/class/Controller/AjaxController.php#L449"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3490270%40shortpixel-image-optimiser&new=3490270%40shortpixel-image-optimiser&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "daroo"}], "timeline": [{"time": "2026-03-17T14:30:57.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-25T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment."}], "id": "CVE-2026-4335", "lastModified": "2026-03-26T04:17:12.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-26T04:17:12.810", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.3/class/Controller/AjaxController.php#L449"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.3/class/view/snippets/media-popup.php#L139"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/trunk/class/Controller/AjaxController.php#L449"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/trunk/class/view/snippets/media-popup.php#L139"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3490270%40shortpixel-image-optimiser&new=3490270%40shortpixel-image-optimiser&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a156234f-2644-4d17-aaa5-4f088cf48f73?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.4.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ShortPixel Image Optimizer \u2013 Optimize Images, Convert WebP & AVIF", "source": "cna", "vendor": "shortpixel"}, "product": "shortpixel_image_optimizer_\u2013_optimize_images,_convert_webp_&_avif", "vendor": "shortpixel"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T04:55:08.088170+00:00", "value": {"mitigation_remediation": ["Upgrade ShortPixel Image Optimizer to the most recent release that addresses the stored XSS flaw.", "After the upgrade, verify that the editor popup no longer renders unescaped attachment titles by testing with a sample attachment title containing special characters.", "If a newer patch is not yet available, consider disabling the ShortPixel plugin or removing the affected attachment until a fix is released."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "This issue affects WordPress installations running ShortPixel Image Optimizer version 6.4.3 or any earlier release. Sites that use the plugin for image optimization, WebP/AVIF conversion, or background removal are vulnerable if the plugin has not been updated beyond the affected versions.", "description_and_impact": "ShortPixel Image Optimizer for WordPress contains a stored cross\u2011site scripting flaw that allows an authenticated user with Author-level access or higher to insert malicious JavaScript into an attachment title. When a higher\u2011privileged user opens the ShortPixel AI editor popup for that attachment, the vulnerability causes the script to execute in the victim\u2019s browser, compromising the confidentiality or integrity of the browser session.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, and the vulnerability is not listed in CISA\u2019s KEV catalog. EPSS data is currently unavailable. The likely attack vector is through the WordPress REST API, as authors can set arbitrary attachment titles that break out of an HTML attribute; this inference follows the description that the flaw is triggered by a crafted post_title. Exploitation requires the attacker to possess Author or higher privileges to create or modify an attachment and relies on the target user opening the editor popup to trigger the injected script."}}}}, "created": "2026-03-26T11:30:44.532948+00:00", "updated": "2026-03-26T12:08:45.296114+00:00", "vendors": ["shortpixel", "shortpixel$PRODUCT$shortpixel_image_optimizer_\u2013_optimize_images,_convert_webp_&_avif", "wordpress", "wordpress$PRODUCT$wordpress"]}