Description
The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied 's' parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. The endpoint validates requests using an HMAC signature and timestamp, but these values are exposed directly in the frontend HTML making them accessible to any visitor. The plugin uses sanitize_text_field() on the descriptor value of rest.php, which strips HTML tags but does not escape double quotes. The poisoned descriptor is then stored via transients (backed by the WordPress options table) and later retrieved and injected verbatim into the srcset attribute of tag_replacer.php without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.
Published: 2026-04-11
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Optimole WordPress plugin contains a stored cross‑site scripting flaw that allows an unauthenticated attacker to inject arbitrary web scripts via the 's' (srcset descriptor) parameter of the /wp-json/optimole/v1/optimizations REST endpoint. Because the plugin stores the descriptor in a transient without proper escaping, the malicious script is later retrieved and inserted verbatim into the srcset attribute of image tags. As a result, any visitor viewing a page that includes a processed image will have the injected script executed in their browser.

Affected Systems

Any WordPress site that has the Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin installed in version 4.2.2 or earlier is affected. The vulnerability exists in all releases up to and including 4.2.2.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity flaw. The REST endpoint is accessible without authentication, so an attacker only needs to craft a single request with a malicious srcset descriptor and an HMAC timestamp pair that is exposed on the front end, making exploitation straightforward. Because of the lack of an authentication requirement and no public exploitation data, the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the combination of a high severity score and low barrier to entry presents a significant risk to sites that have not been patched.

Generated by OpenCVE AI on April 11, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Optimole plugin to a version newer than 4.2.2.
  • If an upgrade is not immediately possible, remove or deactivate the Optimole plugin from the WordPress installation to eliminate the vulnerable endpoint.

Generated by OpenCVE AI on April 11, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Optimole
Optimole optimole – Optimize Images In Real Time
Wordpress
Wordpress wordpress
Vendors & Products Optimole
Optimole optimole – Optimize Images In Real Time
Wordpress
Wordpress wordpress

Sat, 11 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Description The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied 's' parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. The endpoint validates requests using an HMAC signature and timestamp, but these values are exposed directly in the frontend HTML making them accessible to any visitor. The plugin uses sanitize_text_field() on the descriptor value of rest.php, which strips HTML tags but does not escape double quotes. The poisoned descriptor is then stored via transients (backed by the WordPress options table) and later retrieved and injected verbatim into the srcset attribute of tag_replacer.php without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.
Title Optimole <= 4.2.2 - Unauthenticated Stored Cross-Site Scripting via Srcset Descriptor Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Optimole Optimole – Optimize Images In Real Time
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-13T15:15:08.543Z

Reserved: 2026-03-31T11:22:09.160Z

Link: CVE-2026-5217

cve-icon Vulnrichment

Updated: 2026-04-13T15:11:38.091Z

cve-icon NVD

Status : Deferred

Published: 2026-04-11T02:16:02.953

Modified: 2026-04-24T18:00:32.033

Link: CVE-2026-5217

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:56:44Z

Weaknesses