Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for Optimole – Optimize Images in Real Time by optimole

    CVE-2026-5226 (GCVE-0-2026-5226)

    Vulnerability from nvd – Published: 2026-04-11 01:24 – Updated: 2026-04-13 12:27
    VLAI
    Title
    Optimole <= 4.2.3 - Reflected Cross-Site Scripting via Page Profiler URL
    Summary
    The Optimole – Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get_current_url() function, which are inserted into JavaScript code via str_replace() without proper JavaScript context escaping in the replace_content() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Ali Cem Havare Sencer Kılıç Cesi De Taranto
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5226",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-13T12:27:26.737479Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-13T12:27:49.136Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Optimole \u2013 Optimize Images in Real Time",
              "vendor": "optimole",
              "versions": [
                {
                  "lessThanOrEqual": "4.2.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ali Cem Havare"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Sencer K\u0131l\u0131\u00e7"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Cesi De Taranto"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Optimole \u2013 Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get_current_url() function, which are inserted into JavaScript code via str_replace() without proper JavaScript context escaping in the replace_content() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-13T12:03:32.736Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/112cea93-fa4b-4692-8c8b-e74255f61939?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/manager.php#L459"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/manager.php#L459"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/manager.php#L542"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/manager.php#L542"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/admin.php#L1012"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/admin.php#L1012"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3498040/optimole-wp/trunk/inc/manager.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Foptimole-wp/tags/4.2.3\u0026new_path=%2Foptimole-wp/tags/4.2.4"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-31T13:30:49.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-10T11:39:59.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Optimole \u003c= 4.2.3 - Reflected Cross-Site Scripting via Page Profiler URL"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5226",
        "datePublished": "2026-04-11T01:24:57.542Z",
        "dateReserved": "2026-03-31T13:15:00.960Z",
        "dateUpdated": "2026-04-13T12:27:49.136Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5217 (GCVE-0-2026-5217)

    Vulnerability from nvd – Published: 2026-04-11 01:24 – Updated: 2026-04-13 15:15
    VLAI
    Title
    Optimole <= 4.2.2 - Unauthenticated Stored Cross-Site Scripting via Srcset Descriptor Parameter
    Summary
    The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied 's' parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. The endpoint validates requests using an HMAC signature and timestamp, but these values are exposed directly in the frontend HTML making them accessible to any visitor. The plugin uses sanitize_text_field() on the descriptor value of rest.php, which strips HTML tags but does not escape double quotes. The poisoned descriptor is then stored via transients (backed by the WordPress options table) and later retrieved and injected verbatim into the srcset attribute of tag_replacer.php without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Quốc Huy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5217",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-13T15:09:40.696655Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-13T15:15:08.543Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Optimole \u2013 Optimize Images in Real Time",
              "vendor": "optimole",
              "versions": [
                {
                  "lessThanOrEqual": "4.2.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Qu\u1ed1c Huy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Optimole \u2013 Optimize Images | Convert WebP \u0026 AVIF | CDN \u0026 Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied \u0027s\u0027 parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. The endpoint validates requests using an HMAC signature and timestamp, but these values are exposed directly in the frontend HTML making them accessible to any visitor. The plugin uses sanitize_text_field() on the descriptor value of rest.php, which strips HTML tags but does not escape double quotes. The poisoned descriptor is then stored via transients (backed by the WordPress options table) and later retrieved and injected verbatim into the srcset attribute of tag_replacer.php without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-11T01:24:58.602Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50417068-339a-4ae5-9c90-8f08f54ce0af?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/rest.php#L159"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/rest.php#L1008"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/tag_replacer.php#L526"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/tag_replacer.php#L526"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/rest.php#L1008"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/rest.php#L159"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-31T11:42:57.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-10T11:56:50.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Optimole \u003c= 4.2.2 - Unauthenticated Stored Cross-Site Scripting via Srcset Descriptor Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5217",
        "datePublished": "2026-04-11T01:24:58.602Z",
        "dateReserved": "2026-03-31T11:22:09.160Z",
        "dateUpdated": "2026-04-13T15:15:08.543Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11519 (GCVE-0-2025-11519)

    Vulnerability from nvd – Published: 2025-10-18 06:42 – Updated: 2026-04-08 17:09
    VLAI
    Title
    Image optimization service by Optimole <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Author+) Media Offload
    Summary
    The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/move_image REST API endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to offload media that doesn't belong to them.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Dmitrii Ignatyev
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11519",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-20T19:02:41.179182Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-20T19:02:49.385Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Optimole \u2013 Optimize Images in Real Time",
              "vendor": "optimole",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Dmitrii Ignatyev"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Optimole \u2013 Optimize Images | Convert WebP \u0026 AVIF | CDN \u0026 Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/move_image REST API endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to offload media that doesn\u0027t belong to them."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:09:28.373Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9288ed60-b14b-4188-84d4-efe770093551?source=cve"
            },
            {
              "url": "https://research.cleantalk.org/CVE-2025-11519"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3378645%40optimole-wp\u0026new=3378645%40optimole-wp\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-10-09T21:13:01.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-10-17T18:03:14.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Image optimization service by Optimole \u003c= 4.1.0 - Insecure Direct Object Reference to Authenticated (Author+) Media Offload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-11519",
        "datePublished": "2025-10-18T06:42:47.493Z",
        "dateReserved": "2025-10-08T17:29:21.851Z",
        "dateUpdated": "2026-04-08T17:09:28.373Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4636 (GCVE-0-2024-4636)

    Vulnerability from nvd – Published: 2024-05-15 06:51 – Updated: 2026-04-08 17:19
    VLAI
    Title
    Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF <= 3.12.10 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
    Summary
    The Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘allow_meme_types’ function in versions up to, and including, 3.12.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    optimole Optimole – Optimize Images in Real Time Affected: 0 , ≤ 3.12.10 (semver)
    Create a notification for this product.
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4636",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-15T14:30:52.436266Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:54:53.427Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:47:41.559Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be88566d-fc84-442d-bb34-834ad9f4465b?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/3.12.10/inc/admin.php#L1828"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3086306/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Optimole \u2013 Optimize Images in Real Time",
              "vendor": "optimole",
              "versions": [
                {
                  "lessThanOrEqual": "3.12.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Image Optimization by Optimole \u2013 Lazy Load, CDN, Convert WebP \u0026 AVIF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018allow_meme_types\u2019 function in versions up to, and including, 3.12.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:19:14.998Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be88566d-fc84-442d-bb34-834ad9f4465b?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/3.12.10/inc/admin.php#L1828"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3086306/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-05-14T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Image Optimization by Optimole \u2013 Lazy Load, CDN, Convert WebP \u0026 AVIF \u003c= 3.12.10 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-4636",
        "datePublished": "2024-05-15T06:51:55.715Z",
        "dateReserved": "2024-05-07T23:39:11.915Z",
        "dateUpdated": "2026-04-08T17:19:14.998Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-1047 (GCVE-0-2024-1047)

    Vulnerability from nvd – Published: 2024-02-02 05:33 – Updated: 2026-04-08 16:56
    VLAI
    Title
    ThemeIsle SDK <= Various Versions - Missing Authorization
    Summary
    Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for unauthenticated attackers to update options values that allow ThemeIsle to track promotional activities via utm_source.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    themeisle Menu Icons by ThemeIsle Affected: 0 , ≤ 0.13.8 (semver)
    Create a notification for this product.
    themeisle Starter Sites & Templates by Neve Affected: 0 , ≤ 1.2.6 (semver)
    Create a notification for this product.
    themeisle Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE Affected: 0 , ≤ 2.6.2 (semver)
    Create a notification for this product.
    themeisle LightStart – Maintenance Mode, Coming Soon and Landing Page Builder Affected: 0 , ≤ 2.6.9 (semver)
    Create a notification for this product.
    themeisle Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More Affected: 0 , ≤ 2.10.28 (semver)
    Create a notification for this product.
    themeisle Multiple Page Generator Plugin – MPG Affected: 0 , ≤ 3.4.0 (semver)
    Create a notification for this product.
    themeisle Visualizer: Tables and Charts Manager for WordPress Affected: 0 , ≤ 3.10.6 (semver)
    Create a notification for this product.
    optimole Optimole – Optimize Images in Real Time Affected: 0 , ≤ 3.12.4 (semver)
    Create a notification for this product.
    themeisle RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator Affected: 0 , ≤ 4.4.1 (semver)
    Create a notification for this product.
    optimole Super Page Cache Affected: 0 , ≤ 4.7.5 (semver)
    Create a notification for this product.
    rsocial Revive Social – Social Media Auto Post and Scheduling Automation Plugin Affected: 0 , ≤ 9.0.25 (semver)
    Create a notification for this product.
    themeisle PPOM – Product Addons & Custom Fields for WooCommerce Affected: 0 , ≤ 32.0.9 (semver)
    Create a notification for this product.
    Credits
    Francesco Carlucci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:26:30.414Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783d?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php#L175"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3029507/themeisle-companion/tags/2.10.29/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1047",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-02T14:37:24.941327Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T21:29:24.238Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Menu Icons by ThemeIsle",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "0.13.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Starter Sites \u0026 Templates by Neve",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "1.2.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Otter Blocks \u2013 Gutenberg Blocks, Page Builder for Gutenberg Editor \u0026 FSE",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "LightStart \u2013 Maintenance Mode, Coming Soon and Landing Page Builder",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts \u0026 More",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "2.10.28",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Multiple Page Generator Plugin \u2013 MPG",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "3.4.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Visualizer: Tables and Charts Manager for WordPress",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "3.10.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Optimole \u2013 Optimize Images in Real Time",
              "vendor": "optimole",
              "versions": [
                {
                  "lessThanOrEqual": "3.12.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News \u0026 YouTube Video Feeds Aggregator",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "4.4.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Super Page Cache",
              "vendor": "optimole",
              "versions": [
                {
                  "lessThanOrEqual": "4.7.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Revive Social \u2013 Social Media Auto Post and Scheduling Automation Plugin",
              "vendor": "rsocial",
              "versions": [
                {
                  "lessThanOrEqual": "9.0.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "PPOM \u2013 Product Addons \u0026 Custom Fields for WooCommerce",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "32.0.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Francesco Carlucci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for unauthenticated attackers to update options values that allow ThemeIsle to track promotional activities via utm_source."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:56:47.195Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783d?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php#L175"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3029507/themeisle-companion/tags/2.10.29/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3040302%40templates-patterns-collection\u0026new=3040302%40templates-patterns-collection\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-02-01T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "ThemeIsle SDK  \u003c= Various Versions - Missing Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-1047",
        "datePublished": "2024-02-02T05:33:14.536Z",
        "dateReserved": "2024-01-29T18:29:02.865Z",
        "dateUpdated": "2026-04-08T16:56:47.195Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5217 (GCVE-0-2026-5217)

    Vulnerability from cvelistv5 – Published: 2026-04-11 01:24 – Updated: 2026-04-13 15:15
    VLAI
    Title
    Optimole <= 4.2.2 - Unauthenticated Stored Cross-Site Scripting via Srcset Descriptor Parameter
    Summary
    The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied 's' parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. The endpoint validates requests using an HMAC signature and timestamp, but these values are exposed directly in the frontend HTML making them accessible to any visitor. The plugin uses sanitize_text_field() on the descriptor value of rest.php, which strips HTML tags but does not escape double quotes. The poisoned descriptor is then stored via transients (backed by the WordPress options table) and later retrieved and injected verbatim into the srcset attribute of tag_replacer.php without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Quốc Huy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5217",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-13T15:09:40.696655Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-13T15:15:08.543Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Optimole \u2013 Optimize Images in Real Time",
              "vendor": "optimole",
              "versions": [
                {
                  "lessThanOrEqual": "4.2.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Qu\u1ed1c Huy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Optimole \u2013 Optimize Images | Convert WebP \u0026 AVIF | CDN \u0026 Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied \u0027s\u0027 parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. The endpoint validates requests using an HMAC signature and timestamp, but these values are exposed directly in the frontend HTML making them accessible to any visitor. The plugin uses sanitize_text_field() on the descriptor value of rest.php, which strips HTML tags but does not escape double quotes. The poisoned descriptor is then stored via transients (backed by the WordPress options table) and later retrieved and injected verbatim into the srcset attribute of tag_replacer.php without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-11T01:24:58.602Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50417068-339a-4ae5-9c90-8f08f54ce0af?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/rest.php#L159"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/rest.php#L1008"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/tag_replacer.php#L526"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/tag_replacer.php#L526"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/rest.php#L1008"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/rest.php#L159"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-31T11:42:57.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-10T11:56:50.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Optimole \u003c= 4.2.2 - Unauthenticated Stored Cross-Site Scripting via Srcset Descriptor Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5217",
        "datePublished": "2026-04-11T01:24:58.602Z",
        "dateReserved": "2026-03-31T11:22:09.160Z",
        "dateUpdated": "2026-04-13T15:15:08.543Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5226 (GCVE-0-2026-5226)

    Vulnerability from cvelistv5 – Published: 2026-04-11 01:24 – Updated: 2026-04-13 12:27
    VLAI
    Title
    Optimole <= 4.2.3 - Reflected Cross-Site Scripting via Page Profiler URL
    Summary
    The Optimole – Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get_current_url() function, which are inserted into JavaScript code via str_replace() without proper JavaScript context escaping in the replace_content() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Ali Cem Havare Sencer Kılıç Cesi De Taranto
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5226",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-13T12:27:26.737479Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-13T12:27:49.136Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Optimole \u2013 Optimize Images in Real Time",
              "vendor": "optimole",
              "versions": [
                {
                  "lessThanOrEqual": "4.2.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ali Cem Havare"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Sencer K\u0131l\u0131\u00e7"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Cesi De Taranto"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Optimole \u2013 Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get_current_url() function, which are inserted into JavaScript code via str_replace() without proper JavaScript context escaping in the replace_content() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-13T12:03:32.736Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/112cea93-fa4b-4692-8c8b-e74255f61939?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/manager.php#L459"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/manager.php#L459"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/manager.php#L542"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/manager.php#L542"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/admin.php#L1012"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/admin.php#L1012"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3498040/optimole-wp/trunk/inc/manager.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Foptimole-wp/tags/4.2.3\u0026new_path=%2Foptimole-wp/tags/4.2.4"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-31T13:30:49.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-10T11:39:59.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Optimole \u003c= 4.2.3 - Reflected Cross-Site Scripting via Page Profiler URL"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5226",
        "datePublished": "2026-04-11T01:24:57.542Z",
        "dateReserved": "2026-03-31T13:15:00.960Z",
        "dateUpdated": "2026-04-13T12:27:49.136Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11519 (GCVE-0-2025-11519)

    Vulnerability from cvelistv5 – Published: 2025-10-18 06:42 – Updated: 2026-04-08 17:09
    VLAI
    Title
    Image optimization service by Optimole <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Author+) Media Offload
    Summary
    The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/move_image REST API endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to offload media that doesn't belong to them.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Dmitrii Ignatyev
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11519",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-20T19:02:41.179182Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-20T19:02:49.385Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Optimole \u2013 Optimize Images in Real Time",
              "vendor": "optimole",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Dmitrii Ignatyev"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Optimole \u2013 Optimize Images | Convert WebP \u0026 AVIF | CDN \u0026 Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/move_image REST API endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to offload media that doesn\u0027t belong to them."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:09:28.373Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9288ed60-b14b-4188-84d4-efe770093551?source=cve"
            },
            {
              "url": "https://research.cleantalk.org/CVE-2025-11519"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3378645%40optimole-wp\u0026new=3378645%40optimole-wp\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-10-09T21:13:01.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-10-17T18:03:14.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Image optimization service by Optimole \u003c= 4.1.0 - Insecure Direct Object Reference to Authenticated (Author+) Media Offload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-11519",
        "datePublished": "2025-10-18T06:42:47.493Z",
        "dateReserved": "2025-10-08T17:29:21.851Z",
        "dateUpdated": "2026-04-08T17:09:28.373Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4636 (GCVE-0-2024-4636)

    Vulnerability from cvelistv5 – Published: 2024-05-15 06:51 – Updated: 2026-04-08 17:19
    VLAI
    Title
    Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF <= 3.12.10 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
    Summary
    The Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘allow_meme_types’ function in versions up to, and including, 3.12.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    optimole Optimole – Optimize Images in Real Time Affected: 0 , ≤ 3.12.10 (semver)
    Create a notification for this product.
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4636",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-15T14:30:52.436266Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:54:53.427Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:47:41.559Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be88566d-fc84-442d-bb34-834ad9f4465b?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/3.12.10/inc/admin.php#L1828"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3086306/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Optimole \u2013 Optimize Images in Real Time",
              "vendor": "optimole",
              "versions": [
                {
                  "lessThanOrEqual": "3.12.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Image Optimization by Optimole \u2013 Lazy Load, CDN, Convert WebP \u0026 AVIF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018allow_meme_types\u2019 function in versions up to, and including, 3.12.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:19:14.998Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be88566d-fc84-442d-bb34-834ad9f4465b?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/3.12.10/inc/admin.php#L1828"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3086306/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-05-14T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Image Optimization by Optimole \u2013 Lazy Load, CDN, Convert WebP \u0026 AVIF \u003c= 3.12.10 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-4636",
        "datePublished": "2024-05-15T06:51:55.715Z",
        "dateReserved": "2024-05-07T23:39:11.915Z",
        "dateUpdated": "2026-04-08T17:19:14.998Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-1047 (GCVE-0-2024-1047)

    Vulnerability from cvelistv5 – Published: 2024-02-02 05:33 – Updated: 2026-04-08 16:56
    VLAI
    Title
    ThemeIsle SDK <= Various Versions - Missing Authorization
    Summary
    Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for unauthenticated attackers to update options values that allow ThemeIsle to track promotional activities via utm_source.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    themeisle Menu Icons by ThemeIsle Affected: 0 , ≤ 0.13.8 (semver)
    Create a notification for this product.
    themeisle Starter Sites & Templates by Neve Affected: 0 , ≤ 1.2.6 (semver)
    Create a notification for this product.
    themeisle Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE Affected: 0 , ≤ 2.6.2 (semver)
    Create a notification for this product.
    themeisle LightStart – Maintenance Mode, Coming Soon and Landing Page Builder Affected: 0 , ≤ 2.6.9 (semver)
    Create a notification for this product.
    themeisle Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More Affected: 0 , ≤ 2.10.28 (semver)
    Create a notification for this product.
    themeisle Multiple Page Generator Plugin – MPG Affected: 0 , ≤ 3.4.0 (semver)
    Create a notification for this product.
    themeisle Visualizer: Tables and Charts Manager for WordPress Affected: 0 , ≤ 3.10.6 (semver)
    Create a notification for this product.
    optimole Optimole – Optimize Images in Real Time Affected: 0 , ≤ 3.12.4 (semver)
    Create a notification for this product.
    themeisle RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator Affected: 0 , ≤ 4.4.1 (semver)
    Create a notification for this product.
    optimole Super Page Cache Affected: 0 , ≤ 4.7.5 (semver)
    Create a notification for this product.
    rsocial Revive Social – Social Media Auto Post and Scheduling Automation Plugin Affected: 0 , ≤ 9.0.25 (semver)
    Create a notification for this product.
    themeisle PPOM – Product Addons & Custom Fields for WooCommerce Affected: 0 , ≤ 32.0.9 (semver)
    Create a notification for this product.
    Credits
    Francesco Carlucci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:26:30.414Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783d?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php#L175"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3029507/themeisle-companion/tags/2.10.29/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1047",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-02T14:37:24.941327Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T21:29:24.238Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Menu Icons by ThemeIsle",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "0.13.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Starter Sites \u0026 Templates by Neve",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "1.2.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Otter Blocks \u2013 Gutenberg Blocks, Page Builder for Gutenberg Editor \u0026 FSE",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "LightStart \u2013 Maintenance Mode, Coming Soon and Landing Page Builder",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts \u0026 More",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "2.10.28",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Multiple Page Generator Plugin \u2013 MPG",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "3.4.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Visualizer: Tables and Charts Manager for WordPress",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "3.10.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Optimole \u2013 Optimize Images in Real Time",
              "vendor": "optimole",
              "versions": [
                {
                  "lessThanOrEqual": "3.12.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News \u0026 YouTube Video Feeds Aggregator",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "4.4.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Super Page Cache",
              "vendor": "optimole",
              "versions": [
                {
                  "lessThanOrEqual": "4.7.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Revive Social \u2013 Social Media Auto Post and Scheduling Automation Plugin",
              "vendor": "rsocial",
              "versions": [
                {
                  "lessThanOrEqual": "9.0.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "PPOM \u2013 Product Addons \u0026 Custom Fields for WooCommerce",
              "vendor": "themeisle",
              "versions": [
                {
                  "lessThanOrEqual": "32.0.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Francesco Carlucci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for unauthenticated attackers to update options values that allow ThemeIsle to track promotional activities via utm_source."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:56:47.195Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783d?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php#L175"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3029507/themeisle-companion/tags/2.10.29/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3040302%40templates-patterns-collection\u0026new=3040302%40templates-patterns-collection\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-02-01T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "ThemeIsle SDK  \u003c= Various Versions - Missing Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-1047",
        "datePublished": "2024-02-02T05:33:14.536Z",
        "dateReserved": "2024-01-29T18:29:02.865Z",
        "dateUpdated": "2026-04-08T16:56:47.195Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }