Vulnerabilities and security researches forwp-optimize wp-optimize

Jun 07, 2024

CVE, Research URL: CVE-2023-1119
Home page URL: Security reports for WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Application: WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Date: Jul 10, 2023
Research Description: The WP-Optimize WordPress plugin before 3.2.13, SrbTransLatin WordPress plugin before 2.4.1 use a third-party library that removes the escaping on some HTML characters, leading to a cross-site scripting vulnerability.
Affected versions: max 3.2.13.
Status: vulnerable

CVE, Research URL: 26830aedbc88ad9227f2593255d49db672b6b093
Home page URL: Security reports for WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Application: WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Date: Feb 06, 2023
Research Description: WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance [wp-optimize] < 3.2.12 WP-Optimize <= 3.2.11 - Cross-Site Request Forgery The WP-Optimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.11. This is due to missing or incorrect nonce validation on the 'is_valid_request' function. This makes it possible for unauthenticated attackers to manage and modify cache and minification settings and dismiss notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 3.2.12.
Status: vulnerable

Jun 04, 2025

CVE, Research URL: CVE-2025-3951
Home page URL: Security reports for WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Application: WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Date: Jun 02, 2025
Research Description: The WP-Optimize WordPress plugin before 4.2.0 does not properly escape user input when checking image compression statuses, which could allow users with the administrator role to conduct SQL Injection attacks in the context of Multi-Site WordPress configurations.
Affected versions: max 4.2.0.
Status: vulnerable

Apr 14, 2026

CVE, Research URL: CVE-2026-2712
Home page URL: Security reports for WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Application: WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Date: Apr 10, 2026
Research Description: The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the `receive_heartbeat()` function in `includes/class-wp-optimize-heartbeat.php` in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly invoking `Updraft_Smush_Manager_Commands` methods without verifying user capabilities, nonce tokens, or the allowed commands whitelist that the normal AJAX handler (`updraft_smush_ajax`) enforces. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-only Smush operations including reading log files (`get_smush_logs`), deleting all backup images (`clean_all_backup_images`), triggering bulk image processing (`process_bulk_smush`), and modifying Smush options (`update_smush_options`).
Affected versions: max 4.5.1.
Status: vulnerable

May 08, 2026

CVE, Research URL: CVE-2026-7252
Home page URL: Security reports for WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Application: WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Date: May 07, 2026
Research Description: The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unscheduled_original_file_deletion function in all versions up to, and including, 4.5.2 This makes it possible for authenticated attackers, with author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is possible because 'original-file' is a public (non-protected) meta key — it does not begin with an underscore — allowing Authors to freely create or modify it on their own attachment posts via the standard Edit Media form or the REST API.
Affected versions: max 4.5.3.
Status: vulnerable