Vulnerabilities and security researches forshortpixel-image-optimiser shortpixel-image-optimiser

Apr 15, 2026

CVE, Research URL: CVE-2026-1246
Home page URL: Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Application: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Date: Feb 05, 2026
Research Description: The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the 'loadFile' parameter in all versions up to, and including, 6.4.2 due to insufficient path validation and sanitization in the 'loadLogFile' AJAX action. This makes it possible for authenticated attackers, with Editor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys.
Affected versions: max 6.4.3.
Status: vulnerable

Apr 13, 2026

CVE, Research URL: CVE-2026-4335
Home page URL: Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Application: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Date: Mar 26, 2026
Research Description: The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment.
Affected versions: max 6.4.4.
Status: vulnerable

Dec 10, 2025

CVE, Research URL: CVE-2025-11378
Home page URL: Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Application: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Date: Oct 18, 2025
Research Description: The ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'shortpixel_ajaxRequest' AJAX action in all versions up to, and including, 6.3.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to export and import site options.
Affected versions: max 6.3.5.
Status: vulnerable

Oct 16, 2024

CVE, Research URL: CVE-2024-48043
Home page URL: Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Application: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Date: Oct 17, 2024
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ShortPixel ShortPixel Image Optimizer allows Blind SQL Injection.This issue affects ShortPixel Image Optimizer: from n/a through 5.6.3.
Affected versions: max 5.6.4.
Status: vulnerable

CVE, Research URL: CVE-2024-48044
Home page URL: Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Application: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Date: Nov 01, 2024
Research Description: Missing Authorization vulnerability in ShortPixel – Convert WebP/AVIF & Optimize Images ShortPixel Image Optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShortPixel Image Optimizer: from n/a through 5.6.3.
Affected versions: max 5.6.4.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: c6d0d7d00104f4d04df374d0a0b63506e6950cb3
Home page URL: Security reports for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Application: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Date: Jun 14, 2022
Research Description: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF [shortpixel-image-optimiser] < 5.4.2 WordPress ShortPixel Image Optimizer plugin <= 4.22.9 - Reflected Cross-Site Scripting (XSS) vulnerability Reflected Cross-Site Scripting (XSS) vulnerability discovered by WPScanTeam in WordPress ShortPixel Image Optimizer plugin (versions <= 4.22.9). Update the WordPress ShortPixel Image Optimizer plugin to the latest available version (at least 4.22.10).
Affected versions: max 5.4.2.
Status: vulnerable