Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities found for ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF by shortpixel
CVE-2026-4335 (GCVE-0-2026-4335)
Vulnerability from nvd – Published: 2026-03-26 02:25 – Updated: 2026-04-08 17:12
VLAI?
Title
ShortPixel Image Optimizer <= 6.4.3 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title
Summary
The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| shortpixel | ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF |
Affected:
0 , ≤ 6.4.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4335",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T17:36:26.561233Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T17:51:16.235Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ShortPixel Image Optimizer \u2013 Optimize Images, Convert WebP \u0026 AVIF",
"vendor": "shortpixel",
"versions": [
{
"lessThanOrEqual": "6.4.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment\u0027s post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element\u0027s value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:12:25.085Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a156234f-2644-4d17-aaa5-4f088cf48f73?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/trunk/class/view/snippets/media-popup.php#L139"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.3/class/view/snippets/media-popup.php#L139"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/trunk/class/Controller/AjaxController.php#L449"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.3/class/Controller/AjaxController.php#L449"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3490270%40shortpixel-image-optimiser\u0026new=3490270%40shortpixel-image-optimiser\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-17T14:30:57.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "ShortPixel Image Optimizer \u003c= 6.4.3 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4335",
"datePublished": "2026-03-26T02:25:20.157Z",
"dateReserved": "2026-03-17T14:15:42.197Z",
"dateUpdated": "2026-04-08T17:12:25.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1246 (GCVE-0-2026-1246)
Vulnerability from nvd – Published: 2026-02-05 06:47 – Updated: 2026-04-08 16:33
VLAI?
Title
ShortPixel Image Optimizer <= 6.4.2 - Authenticated (Editor+) Arbitrary File Read via 'loadFile' Parameter
Summary
The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the 'loadFile' parameter in all versions up to, and including, 6.4.2 due to insufficient path validation and sanitization in the 'loadLogFile' AJAX action. This makes it possible for authenticated attackers, with Editor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys.
Severity ?
4.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| shortpixel | ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF |
Affected:
0 , ≤ 6.4.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T14:55:50.898150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T14:55:57.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ShortPixel Image Optimizer \u2013 Optimize Images, Convert WebP \u0026 AVIF",
"vendor": "shortpixel",
"versions": [
{
"lessThanOrEqual": "6.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafa\u0142"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the \u0027loadFile\u0027 parameter in all versions up to, and including, 6.4.2 due to insufficient path validation and sanitization in the \u0027loadLogFile\u0027 AJAX action. This makes it possible for authenticated attackers, with Editor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:33:01.074Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03cb41d2-67c8-457f-8d85-7aede8e12d44?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/AjaxController.php#L309"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/AjaxController.php#L1686"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/BulkController.php#L200"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3449706%40shortpixel-image-optimiser\u0026new=3449706%40shortpixel-image-optimiser\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-20T19:08:38.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-04T18:35:26.000Z",
"value": "Disclosed"
}
],
"title": "ShortPixel Image Optimizer \u003c= 6.4.2 - Authenticated (Editor+) Arbitrary File Read via \u0027loadFile\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1246",
"datePublished": "2026-02-05T06:47:41.372Z",
"dateReserved": "2026-01-20T18:53:28.652Z",
"dateUpdated": "2026-04-08T16:33:01.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11378 (GCVE-0-2025-11378)
Vulnerability from nvd – Published: 2025-10-18 03:33 – Updated: 2026-04-08 16:41
VLAI?
Title
ShortPixel Image Optimizer <= 6.3.4 - Authenticated (Contributor+) Settings Import/Export
Summary
The ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'shortpixel_ajaxRequest' AJAX action in all versions up to, and including, 6.3.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to export and import site options.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| shortpixel | ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF |
Affected:
0 , ≤ 6.3.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T18:40:56.026671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T18:41:03.984Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ShortPixel Image Optimizer \u2013 Optimize Images, Convert WebP \u0026 AVIF",
"vendor": "shortpixel",
"versions": [
{
"lessThanOrEqual": "6.3.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ShortPixel Image Optimizer \u2013 Optimize Images, Convert WebP \u0026 AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027shortpixel_ajaxRequest\u0027 AJAX action in all versions up to, and including, 6.3.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to export and import site options."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:41:01.563Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f7e9eb5-e222-43fa-a14f-b9cbced6b8f5?source=cve"
},
{
"url": "https://research.cleantalk.org/CVE-2025-11378"
},
{
"url": "https://github.com/short-pixel-optimizer/shortpixel-image-optimiser/commit/74263060acafbaf63b4a34f339a8b0dc35f2cad9"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3379473%40shortpixel-image-optimiser\u0026new=3379473%40shortpixel-image-optimiser\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-06T16:58:55.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-17T14:41:31.000Z",
"value": "Disclosed"
}
],
"title": "ShortPixel Image Optimizer \u003c= 6.3.4 - Authenticated (Contributor+) Settings Import/Export"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11378",
"datePublished": "2025-10-18T03:33:23.231Z",
"dateReserved": "2025-10-06T16:43:29.722Z",
"dateUpdated": "2026-04-08T16:41:01.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4335 (GCVE-0-2026-4335)
Vulnerability from cvelistv5 – Published: 2026-03-26 02:25 – Updated: 2026-04-08 17:12
VLAI?
Title
ShortPixel Image Optimizer <= 6.4.3 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title
Summary
The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| shortpixel | ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF |
Affected:
0 , ≤ 6.4.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4335",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T17:36:26.561233Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T17:51:16.235Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ShortPixel Image Optimizer \u2013 Optimize Images, Convert WebP \u0026 AVIF",
"vendor": "shortpixel",
"versions": [
{
"lessThanOrEqual": "6.4.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment\u0027s post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element\u0027s value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:12:25.085Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a156234f-2644-4d17-aaa5-4f088cf48f73?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/trunk/class/view/snippets/media-popup.php#L139"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.3/class/view/snippets/media-popup.php#L139"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/trunk/class/Controller/AjaxController.php#L449"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.3/class/Controller/AjaxController.php#L449"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3490270%40shortpixel-image-optimiser\u0026new=3490270%40shortpixel-image-optimiser\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-17T14:30:57.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "ShortPixel Image Optimizer \u003c= 6.4.3 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4335",
"datePublished": "2026-03-26T02:25:20.157Z",
"dateReserved": "2026-03-17T14:15:42.197Z",
"dateUpdated": "2026-04-08T17:12:25.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1246 (GCVE-0-2026-1246)
Vulnerability from cvelistv5 – Published: 2026-02-05 06:47 – Updated: 2026-04-08 16:33
VLAI?
Title
ShortPixel Image Optimizer <= 6.4.2 - Authenticated (Editor+) Arbitrary File Read via 'loadFile' Parameter
Summary
The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the 'loadFile' parameter in all versions up to, and including, 6.4.2 due to insufficient path validation and sanitization in the 'loadLogFile' AJAX action. This makes it possible for authenticated attackers, with Editor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys.
Severity ?
4.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| shortpixel | ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF |
Affected:
0 , ≤ 6.4.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T14:55:50.898150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T14:55:57.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ShortPixel Image Optimizer \u2013 Optimize Images, Convert WebP \u0026 AVIF",
"vendor": "shortpixel",
"versions": [
{
"lessThanOrEqual": "6.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafa\u0142"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the \u0027loadFile\u0027 parameter in all versions up to, and including, 6.4.2 due to insufficient path validation and sanitization in the \u0027loadLogFile\u0027 AJAX action. This makes it possible for authenticated attackers, with Editor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:33:01.074Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03cb41d2-67c8-457f-8d85-7aede8e12d44?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/AjaxController.php#L309"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/AjaxController.php#L1686"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/BulkController.php#L200"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3449706%40shortpixel-image-optimiser\u0026new=3449706%40shortpixel-image-optimiser\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-20T19:08:38.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-04T18:35:26.000Z",
"value": "Disclosed"
}
],
"title": "ShortPixel Image Optimizer \u003c= 6.4.2 - Authenticated (Editor+) Arbitrary File Read via \u0027loadFile\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1246",
"datePublished": "2026-02-05T06:47:41.372Z",
"dateReserved": "2026-01-20T18:53:28.652Z",
"dateUpdated": "2026-04-08T16:33:01.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11378 (GCVE-0-2025-11378)
Vulnerability from cvelistv5 – Published: 2025-10-18 03:33 – Updated: 2026-04-08 16:41
VLAI?
Title
ShortPixel Image Optimizer <= 6.3.4 - Authenticated (Contributor+) Settings Import/Export
Summary
The ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'shortpixel_ajaxRequest' AJAX action in all versions up to, and including, 6.3.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to export and import site options.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| shortpixel | ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF |
Affected:
0 , ≤ 6.3.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T18:40:56.026671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T18:41:03.984Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ShortPixel Image Optimizer \u2013 Optimize Images, Convert WebP \u0026 AVIF",
"vendor": "shortpixel",
"versions": [
{
"lessThanOrEqual": "6.3.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ShortPixel Image Optimizer \u2013 Optimize Images, Convert WebP \u0026 AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027shortpixel_ajaxRequest\u0027 AJAX action in all versions up to, and including, 6.3.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to export and import site options."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:41:01.563Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f7e9eb5-e222-43fa-a14f-b9cbced6b8f5?source=cve"
},
{
"url": "https://research.cleantalk.org/CVE-2025-11378"
},
{
"url": "https://github.com/short-pixel-optimizer/shortpixel-image-optimiser/commit/74263060acafbaf63b4a34f339a8b0dc35f2cad9"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3379473%40shortpixel-image-optimiser\u0026new=3379473%40shortpixel-image-optimiser\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-06T16:58:55.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-17T14:41:31.000Z",
"value": "Disclosed"
}
],
"title": "ShortPixel Image Optimizer \u003c= 6.3.4 - Authenticated (Contributor+) Settings Import/Export"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11378",
"datePublished": "2025-10-18T03:33:23.231Z",
"dateReserved": "2025-10-06T16:43:29.722Z",
"dateUpdated": "2026-04-08T16:41:01.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}