cleantalk
Vulnerabilities and Security Researches

Smush – Optimize, Compress and Lazy Load Images, CVE-2022-1009

CVE, Research URL

CVE-2022-1009

Home page URL

Security reports for Smush – Optimize, Compress and Lazy Load Images

Application

Smush – Optimize, Compress and Lazy Load Images

Published on
May 30, 2022
Research Description
The Smush WordPress plugin before 3.9.9 does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin to upload a malicious configuration file
Affected versions
Min -, max 3.0.1.
Status
vulnerable
Previous vulnerability researches
Smush – Optimize, Compress and Lazy Load Images (CVE-2023-3352) , Jun 22, 2024
Smush – Optimize, Compress and Lazy Load Images (CVE-2025-22288) , Apr 02, 2025
Smush – Optimize, Compress and Lazy Load Images (CVE-2017-15079) , Jun 07, 2024
Smush – Optimize, Compress and Lazy Load Images (CVE-2022-1009) , Jun 07, 2024
New vulnerability
MediaView (CVE-2025-31898) , Apr 05, 2025
Product Filter by WBW (CVE-2025-2317) , Apr 05, 2025
Widget Manager Light (CVE-2025-31768) , Apr 05, 2025
Residential Address Detection (CVE-2025-30916) , Apr 05, 2025
SWM – Shopify to WooCommerce Migration (CVE-2025-31795) , Apr 05, 2025