Skip to main content

ShortPixel Image Optimizer CVE-2026-39471

| EUVD-2026-36935 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-15 Patchstack GHSA-8wj8-vcgv-j3hf
PHP Deserialization Shortpixel Image Optimizer
7.2
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable WordPress endpoint, no user interaction, full CIA impact via PHP object injection; Author is a low-privileged content role, so PR:L rather than PR:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:30 vuln.today

DescriptionCVE.org

Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions.

AnalysisAI

Authenticated PHP Object Injection in the ShortPixel Image Optimizer WordPress plugin (versions 6.4.3 and earlier) allows attackers with Author-level privileges to trigger unsafe deserialization of attacker-controlled data, enabling code execution or other impacts when a suitable PHP gadget chain is present. Reported by Patchstack with no public exploit identified at time of analysis, the flaw is tracked as CWE-502 and carries a CVSS 3.1 score of 7.2 due to the high-privilege prerequisite but full CIA impact.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain WordPress Author credentials
Delivery
Craft serialized POP gadget payload
Exploit
Submit to vulnerable plugin endpoint
Install
Trigger unserialize on input
C2
Gadget chain executes via magic methods
Execute
Achieve RCE or file write
Impact
Persist via web shell or admin escalation
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated WordPress account with at least the Author role on a site running ShortPixel Image Optimizer ≤ 6.4.3, plus network reachability to the WordPress admin/AJAX/REST endpoint that performs the vulnerable unserialize call. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H = 7.2 High) reflects a network-reachable, low-complexity flaw with full CIA impact gated by high privileges - specifically the WordPress Author role per the title. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been granted a WordPress Author account submits a crafted request to a ShortPixel plugin endpoint containing a serialized PHP object payload built from a known POP gadget chain present in WordPress core or a co-installed plugin. When the plugin deserializes the input, the gadget chain fires during object destruction, enabling file write, arbitrary code execution, or database manipulation under the web server's identity. …
Remediation Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the supplied data, so administrators should upgrade ShortPixel Image Optimizer to the latest version greater than 6.4.3 available on the WordPress.org plugin repository and verify the changelog references this PHP Object Injection fix (Patchstack advisory: https://patchstack.com/database/wordpress/plugin/shortpixel-image-optimiser/vulnerability/wordpress-shortpixel-image-optimizer-plugin-6-4-3-php-object-injection-vulnerability). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations and document ShortPixel plugin versions; immediately audit and restrict Author-level user access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-39471 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy