Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attacker needs no privileges (PR:N); victim interaction required (UI:R); impact limited to partial integrity of media files only.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Optimole - Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replace_file function. This makes it possible for unauthenticated attackers to overwrite existing media attachments with attacker-supplied file content by supplying a forged multipart POST request targeting any attachment the victim has edit_post capability over via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The forged request requires a victim with at least Author-level privileges, as the handler enforces a current_user_can('edit_post', $id) check; tricking an Author-level or higher user into clicking a crafted link is sufficient to trigger the overwrite against attachments that user can edit.
AnalysisAI
Cross-Site Request Forgery in the Optimole WordPress plugin (all versions through 4.2.6) allows unauthenticated remote attackers to overwrite existing media attachment files by forging multipart POST requests targeting the replace_file function, provided the attacker can socially engineer a WordPress user with at least Author-level access into clicking a crafted link. The missing nonce validation in the attachment_edit.php handler means the server cannot distinguish legitimate requests from forged ones, enabling arbitrary content injection into any attachment the victim can edit. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concurrent conditions: first, the target WordPress site must be running the Optimole plugin at version 4.2.6 or earlier with the media rename/attachment management functionality active; second, an attacker must successfully socially engineer a WordPress user holding at least Author-level role (or higher: Editor, Administrator) into clicking a crafted link or visiting an attacker-controlled page while that user is authenticated to the target site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N accurately reflects the constrained impact: integrity is limited to media attachment content, there is no confidentiality breach, and availability is not directly affected. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a WordPress site running Optimole 4.2.6 or earlier and determines that a logged-in Author (or editor/admin) is active. The attacker crafts a malicious webpage containing an auto-submitting multipart HTML form that POSTs to the target site's replace_file endpoint with a chosen attachment ID and attacker-controlled file content, then tricks the Author into visiting that page via a phishing link. … |
| Remediation | A fix has been committed to the Optimole plugin SVN repository (changeset 3574315, visible at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3574315%40optimole-wp&new=3574315%40optimole-wp); however, the specific patched release version number is not confirmed from the available data - administrators should update to the latest available version in the WordPress plugin repository and verify the installed version is newer than 4.2.6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37848
GHSA-xh6r-5wcf-38f6