Description
Unauthenticated Cross Site Scripting (XSS) in Optimole <= 4.2.7 versions.
Published: 2026-07-02
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Cross Site Scripting in the WordPress Optimole plugin allows an attacker to inject malicious scripts that execute in the browsers of users who view affected content. This vulnerability is classified as CWE‑79.

Affected Systems

The affected software is the WordPress Optimole plugin, a popular image optimization tool. Any WordPress installation running Optimole version 4.2.7 or earlier is susceptible. No specific WordPress core version is required for exploitation.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by submitting a crafted request that injects script code, which is then rendered in the browser of unauthenticated visitors or site administrators, making the vulnerability actionable even without privileged access.

Generated by OpenCVE AI on July 3, 2026 at 10:21 UTC.

Remediation

Vendor Solution

Update the WordPress Optimole Plugin to the latest available version (at least 4.2.8).


OpenCVE Recommended Actions

  • Update the Optimole plugin to version 4.2.8 or later.
  • If a patch cannot be applied immediately, disable the plugin or remove it from active WordPress installations until the update is available.
  • Deploy a Web Application Firewall rule that blocks or sanitizes common XSS payloads targeting the Optimole plugin interface.

Generated by OpenCVE AI on July 3, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Optimole <= 4.2.7 versions.
Title WordPress Optimole plugin <= 4.2.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T19:39:29.404Z

Reserved: 2026-06-25T08:03:37.652Z

Link: CVE-2026-57673

cve-icon Vulnrichment

Updated: 2026-07-02T19:39:23.375Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T10:30:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')