Skip to main content

Optimole WordPress Plugin CVE-2026-11784

| EUVDEUVD-2026-37848 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-18 Wordfence GHSA-xh6r-5wcf-38f6
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Attacker needs no privileges (PR:N); victim interaction required (UI:R); impact limited to partial integrity of media files only.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 06:22 vuln.today
CVE Published
Jun 18, 2026 - 05:34 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Optimole - Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replace_file function. This makes it possible for unauthenticated attackers to overwrite existing media attachments with attacker-supplied file content by supplying a forged multipart POST request targeting any attachment the victim has edit_post capability over via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The forged request requires a victim with at least Author-level privileges, as the handler enforces a current_user_can('edit_post', $id) check; tricking an Author-level or higher user into clicking a crafted link is sufficient to trigger the overwrite against attachments that user can edit.

AnalysisAI

Cross-Site Request Forgery in the Optimole WordPress plugin (all versions through 4.2.6) allows unauthenticated remote attackers to overwrite existing media attachment files by forging multipart POST requests targeting the replace_file function, provided the attacker can socially engineer a WordPress user with at least Author-level access into clicking a crafted link. The missing nonce validation in the attachment_edit.php handler means the server cannot distinguish legitimate requests from forged ones, enabling arbitrary content injection into any attachment the victim can edit. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify target site with Optimole ≤4.2.6
Delivery
Determine Author-or-higher user identity
Exploit
Craft forged multipart POST form targeting replace_file
Install
Deliver phishing link to victim
C2
Victim clicks link while authenticated
Execute
Browser submits forged request with victim cookies
Impact
Target media attachment overwritten with attacker content

Vulnerability AssessmentAI

Exploitation Exploitation requires two concurrent conditions: first, the target WordPress site must be running the Optimole plugin at version 4.2.6 or earlier with the media rename/attachment management functionality active; second, an attacker must successfully socially engineer a WordPress user holding at least Author-level role (or higher: Editor, Administrator) into clicking a crafted link or visiting an attacker-controlled page while that user is authenticated to the target site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N accurately reflects the constrained impact: integrity is limited to media attachment content, there is no confidentiality breach, and availability is not directly affected. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a WordPress site running Optimole 4.2.6 or earlier and determines that a logged-in Author (or editor/admin) is active. The attacker crafts a malicious webpage containing an auto-submitting multipart HTML form that POSTs to the target site's replace_file endpoint with a chosen attachment ID and attacker-controlled file content, then tricks the Author into visiting that page via a phishing link. …
Remediation A fix has been committed to the Optimole plugin SVN repository (changeset 3574315, visible at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3574315%40optimole-wp&new=3574315%40optimole-wp); however, the specific patched release version number is not confirmed from the available data - administrators should update to the latest available version in the WordPress plugin repository and verify the installed version is newer than 4.2.6. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy