Vulnerabilities and security researches forshortpixel-image-optimiser shortpixel-image-optimiser
Direction: ascendingShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF # c6d0d7d00104f4d04df374d0a0b63506e6950cb3
- CVE, Research URL
- Home page URL
-
Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
- Date
- Jun 14, 2022
- Research Description
- ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF [shortpixel-image-optimiser] < 4.22.10 WordPress ShortPixel Image Optimizer plugin <= 4.22.9 - Reflected Cross-Site Scripting (XSS) vulnerability Reflected Cross-Site Scripting (XSS) vulnerability discovered by WPScanTeam in WordPress ShortPixel Image Optimizer plugin (versions <= 4.22.9). Update the WordPress ShortPixel Image Optimizer plugin to the latest available version (at least 4.22.10).
- Affected versions
-
max 4.22.10.
- Status
-
vulnerable
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF # CVE-2024-48043
- CVE, Research URL
- Home page URL
-
Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
- Date
- Oct 17, 2024
- Research Description
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ShortPixel ShortPixel Image Optimizer shortpixel-image-optimiser allows Blind SQL Injection.This issue affects ShortPixel Image Optimizer: from n/a through <= 5.6.3.
- Affected versions
-
max 5.6.4.
- Status
-
vulnerable
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF # CVE-2024-48044
- CVE, Research URL
- Home page URL
-
Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
- Date
- Nov 01, 2024
- Research Description
- Missing Authorization vulnerability in ShortPixel ShortPixel Image Optimizer shortpixel-image-optimiser allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShortPixel Image Optimizer: from n/a through <= 5.6.3.
- Affected versions
-
max 5.6.4.
- Status
-
vulnerable
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF # CVE-2025-11378
- CVE, Research URL
- Home page URL
-
Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
- Date
- Oct 18, 2025
- Research Description
- The ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'shortpixel_ajaxRequest' AJAX action in all versions up to, and including, 6.3.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to export and import site options.
- Affected versions
-
max 6.3.5.
- Status
-
vulnerable
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF # CVE-2026-4335
- CVE, Research URL
- Home page URL
-
Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
- Date
- Mar 26, 2026
- Research Description
- The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment.
- Affected versions
-
max 6.4.4.
- Status
-
vulnerable
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF # CVE-2026-1246
- CVE, Research URL
- Home page URL
-
Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
- Date
- Feb 05, 2026
- Research Description
- The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the 'loadFile' parameter in all versions up to, and including, 6.4.2 due to insufficient path validation and sanitization in the 'loadLogFile' AJAX action. This makes it possible for authenticated attackers, with Editor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys.
- Affected versions
-
max 6.4.3.
- Status
-
vulnerable
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF # CVE-2026-39471
- CVE, Research URL
- Home page URL
-
Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
- Date
- Jun 16, 2026
- Research Description
- Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions.
- Affected versions
-
max 6.4.4.
- Status
-
vulnerable
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF # 8a0ddd14-7260-4fb6-bb87-2916aa41ff01
- CVE, Research URL
- Home page URL
-
Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
- Date
- -
- Research Description
- ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF [shortpixel-image-optimiser] < 4.22.10 ShortPixel Image Optimizer < 4.22.10 - Reflected Cross-Site Scripting The plugin does not escape a generated URLs before outputting them back in an attribute, leading to Reflected Cross-Site Scripting
- Affected versions
-
max 4.22.10.
- Status
-
vulnerable
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF # 1217d5288b3a270b031fd617b0546a2bd1a6c927
- CVE, Research URL
- Home page URL
-
Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
- Date
- Sep 14, 2023
- Research Description
- ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF [shortpixel-image-optimiser] < 5.4.2 ShortPixel Image Optimizer <= 5.4.1 - Authenticated(Editor+) PHP Object Injection The ShortPixel Image Optimizer plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 5.4.1 via deserialization of untrusted input in post content. This allows authenticated attackers with editor capabilities or above to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
- Affected versions
-
max 5.4.2.
- Status
-
vulnerable
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF # d65dac689d778d88ac3adceb7e3f1e0e5c4df345
- CVE, Research URL
- Home page URL
-
Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
- Date
- Sep 15, 2023
- Research Description
- ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF [shortpixel-image-optimiser] < 5.4.2 WordPress ShortPixel Image Optimizer Plugin < 5.4.2 is vulnerable to PHP Object Injection Update the WordPress ShortPixel Image Optimizer plugin to the latest available version (at least 5.4.2). Unknown discovered and reported this PHP Object Injection vulnerability in WordPress ShortPixel Image Optimizer Plugin. This could allow a malicious actor to execute code injection, SQL injection, path traversal, denial of service, and more if a proper POP chain is present. This vulnerability has been fixed in version 5.4.2.
- Affected versions
-
max 5.4.2.
- Status
-
vulnerable
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF # 3e92968d-e613-48a5-b73c-af7a9872e179
- CVE, Research URL
- Home page URL
-
Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
- Date
- -
- Research Description
- ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF [shortpixel-image-optimiser] < 5.4.2 ShortPixel Image Optimizer < 5.4.2 - Authenticated(Editor+) PHP Object Injection The ShortPixel Image Optimizer plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 5.4.1 via deserialization of untrusted input in post content. This allows authenticated attackers with editor capabilities or above to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
- Affected versions
-
max 5.4.2.
- Status
-
vulnerable
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF # 21383c2816b3464f8619032ef4e29fc2e1e33151
- CVE, Research URL
- Home page URL
-
Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
- Date
- Jun 02, 2022
- Research Description
- ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF [shortpixel-image-optimiser] < 4.22.10 ShortPixel Image Optimizer <= 4.22.9 - Reflected Cross-Site Scripting The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in versions up to, and including, 4.22.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- Affected versions
-
max 4.22.10.
- Status
-
vulnerable