CVE-2026-5217

| EUVD-2026-21662 HIGH
2026-04-11 Wordfence GHSA-8g9h-q4wq-r7gp
7.2
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 11, 2026 - 01:30 vuln.today
EUVD ID Assigned
Apr 11, 2026 - 01:30 euvd
EUVD-2026-21662
CVE Published
Apr 11, 2026 - 01:24 nvd
HIGH 7.2

Tags

XSS PHP WordPress

Description

The Optimole - Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied 's' parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. The endpoint validates requests using an HMAC signature and timestamp, but these values are exposed directly in the frontend HTML making them accessible to any visitor. The plugin uses sanitize_text_field() on the descriptor value of rest.php, which strips HTML tags but does not escape double quotes. The poisoned descriptor is then stored via transients (backed by the WordPress options table) and later retrieved and injected verbatim into the srcset attribute of tag_replacer.php without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.

Analysis

Unauthenticated stored XSS in Optimole WordPress plugin (≤4.2.2) allows attackers to inject malicious scripts via the srcset descriptor parameter in the /wp-json/optimole/v1/optimizations REST endpoint. Despite HMAC signature validation, authentication tokens are exposed in frontend HTML, enabling exploitation. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Disable or remove Optimole plugin ≤4.2.2 immediately; if critical to operations, restrict REST API access via .htaccess or firewall rules to trusted IPs only. Within 7 days: Monitor WordPress options table and transients for suspicious entries; audit admin accounts for unauthorized activity; review access logs for /wp-json/optimole/v1/optimizations requests. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: 0

Share

CVE-2026-5217 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy