Description
The Optimole – Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get_current_url() function, which are inserted into JavaScript code via str_replace() without proper JavaScript context escaping in the replace_content() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2026-04-11
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting that can execute arbitrary JavaScript in a visitor’s browser
Action: Immediate Patch
AI Analysis

Impact

The Optimole – Optimize Images in Real Time plugin for WordPress is vulnerable to a reflected cross‑site scripting (XSS) flaw. Insufficient escaping of user‑supplied URL paths in the get_current_url() function leads to arbitrary JavaScript being injected into the page. An attacker can insert malicious code that will run in the browser of anyone who visits the crafted URL, potentially enabling cookie theft, session hijacking, defacement or other client‑side compromise.

Affected Systems

Any WordPress installation that uses the Optimole plugin, version 4.2.3 or earlier, is affected. The flaw resides in the page profiler URL handling within the plugin’s admin and manager modules. Users of these versions should assume the entire WordPress site is vulnerable to XSS through that specific endpoint.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity vulnerability. An unauthenticated attacker can exploit it via a crafted link that a victim clicks, without needing special permissions. EPSS data is not available, and the flaw is not currently listed in the CISA KEV catalog, but the lack of exploitation data does not eliminate risk. The vulnerability is exploitable in a true web‑based environment and can be triggered remotely by any user who follows the malicious link.

Generated by OpenCVE AI on April 11, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Optimole plugin to version 4.2.4 or later, which contains the XSS fix.
  • If an update cannot be applied immediately, disable or restrict access to the page profiler URL feature to prevent exploitation.
  • Verify that the commercial or open‑source host does not expose the vulnerable endpoint before making the site publicly accessible.
  • Continue to monitor security advisories from Optimole for any additional mitigations or updates.

Generated by OpenCVE AI on April 11, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Optimole
Optimole optimole – Optimize Images In Real Time
Wordpress
Wordpress wordpress
Vendors & Products Optimole
Optimole optimole – Optimize Images In Real Time
Wordpress
Wordpress wordpress

Sat, 11 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Description The Optimole – Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get_current_url() function, which are inserted into JavaScript code via str_replace() without proper JavaScript context escaping in the replace_content() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Optimole <= 4.2.3 - Reflected Cross-Site Scripting via Page Profiler URL
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Optimole Optimole – Optimize Images In Real Time
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-13T12:27:49.136Z

Reserved: 2026-03-31T13:15:00.960Z

Link: CVE-2026-5226

cve-icon Vulnrichment

Updated: 2026-04-13T12:27:41.879Z

cve-icon NVD

Status : Deferred

Published: 2026-04-11T02:16:03.120

Modified: 2026-04-24T18:00:32.033

Link: CVE-2026-5226

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:56:46Z

Weaknesses