HIGHVulnerability
Verified
Global

NVD HIGH: CVE-2026-5217 — The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image O...

·Source: NIST NVD

Updated:

Executive Summary

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied 's' parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. Th

Analysis

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied 's' parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. The endpoint validates requests using an HMAC signature and timestamp, but these values are exposed directly in the frontend HTML making them accessible to any visitor. The plugin uses sanitize_text_field() on the descriptor value of rest.php, which strips HTML tags but does not escape double quotes. The poisoned descriptor is then stored via transients (backed by the WordPress options table) and later retrieved and injected verbatim into the srcset attribute of tag_replacer.php without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page. CVSS Score: 7.2. Published: 2026-04-11T02:16:02.953.

Indicators of Compromise (1)

CVE (1)
CVE-2026-5217
NVDMITRE CVE
Source Attribution

Originally published by NIST NVD on Apr 11, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerabilityPOC

Microsoft’s incident response is getting a failing grade from researchers

Microsoft is ticking off a lot of researchers this week by claiming that those who dump proof-of-concept exploits for vulnerabilities they have not responsibly disclosed are enabling criminal activity, and that Microsoft will track them and bring cases against them. Whoever advised them to issue that statement may want to walk it back. Kevin Beaumont,... Source

DataBreaches.net
HIGHVulnerability

PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation

Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections. "Authentication bypass vulnerabilities in the

CVE-2026-0257
The Hacker News
MEDIUMVulnerability

23andMe Failed to Stop Months-Long Hack, State Alleges

<img src="https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/23andme-failed-to-stop-months-long-hack-state-alleges-image_small-2-a-31816.jpg" align=right hspace=4><b>Calif. Lawsuit: Genetics Testing Firm Missed Red Flags Before Massive 2023 Breach</b><br>Hackers in 2023 went undetected for five months in genetics testing firm 23andMe's IT systems, despite multiple unheeded warning signs, al

Bank Info Security