Vulnerabilities and security researches foroptimole-wp optimole-wp

Jun 07, 2024

CVE, Research URL: CVE-2024-4636
Home page URL: Security reports for Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF
Application: Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF
Date: May 15, 2024
Research Description: The Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘allow_meme_types’ function in versions up to, and including, 3.12.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.13.0.
Status: vulnerable

CVE, Research URL: CVE-2022-0969
Home page URL: Security reports for Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF
Application: Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF
Date: Apr 11, 2022
Research Description: The Image optimization & Lazy Load by Optimole WordPress plugin before 3.3.2 does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed.
Affected versions: max 3.3.2.
Status: vulnerable

Dec 10, 2025

CVE, Research URL: CVE-2025-11519
Home page URL: Security reports for Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF
Application: Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF
Date: Oct 18, 2025
Research Description: The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/move_image REST API endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to offload media that doesn't belong to them.
Affected versions: max 4.1.1.
Status: vulnerable

Apr 14, 2026

CVE, Research URL: CVE-2026-5217
Home page URL: Security reports for Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF
Application: Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF
Date: Apr 11, 2026
Research Description: The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied 's' parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. The endpoint validates requests using an HMAC signature and timestamp, but these values are exposed directly in the frontend HTML making them accessible to any visitor. The plugin uses sanitize_text_field() on the descriptor value of rest.php, which strips HTML tags but does not escape double quotes. The poisoned descriptor is then stored via transients (backed by the WordPress options table) and later retrieved and injected verbatim into the srcset attribute of tag_replacer.php without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.
Affected versions: max 4.2.3.
Status: vulnerable

CVE, Research URL: CVE-2026-5226
Home page URL: Security reports for Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF
Application: Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF
Date: Apr 11, 2026
Research Description: The Optimole – Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get_current_url() function, which are inserted into JavaScript code via str_replace() without proper JavaScript context escaping in the replace_content() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 4.2.4.
Status: vulnerable

Jun 19, 2026

CVE, Research URL: CVE-2026-11784
Home page URL: Security reports for Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF
Application: Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF
Date: Jun 18, 2026
Research Description: The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replace_file function. This makes it possible for unauthenticated attackers to overwrite existing media attachments with attacker-supplied file content by supplying a forged multipart POST request targeting any attachment the victim has edit_post capability over via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The forged request requires a victim with at least Author-level privileges, as the handler enforces a current_user_can('edit_post', $id) check; tricking an Author-level or higher user into clicking a crafted link is sufficient to trigger the overwrite against attachments that user can edit.
Affected versions: max 4.2.7.
Status: vulnerable