Is PHP affected by EUVD-2026-21662?

Optimole WordPress plugin versions 4.2.2 and earlier contain a stored cross-site scripting vulnerability in the REST API that allows unauthenticated attackers to inject and persistently execute malicious scripts on affected websites.

EUVD-2026-21662

| CVE-2026-5217 HIGH

2026-04-11 Wordfence

GHSA-8g9h-q4wq-r7gp

7.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 11, 2026 - 01:30 vuln.today

EUVD ID Assigned

Apr 11, 2026 - 01:30 euvd

EUVD-2026-21662

CVE Published

Apr 11, 2026 - 01:24 nvd

HIGH 7.2

Description

The Optimole - Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied 's' parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. The endpoint validates requests using an HMAC signature and timestamp, but these values are exposed directly in the frontend HTML making them accessible to any visitor. The plugin uses sanitize_text_field() on the descriptor value of rest.php, which strips HTML tags but does not escape double quotes. The poisoned descriptor is then stored via transients (backed by the WordPress options table) and later retrieved and injected verbatim into the srcset attribute of tag_replacer.php without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.

Analysis

Unauthenticated stored XSS in Optimole WordPress plugin (≤4.2.2) allows attackers to inject malicious scripts via the srcset descriptor parameter in the /wp-json/optimole/v1/optimizations REST endpoint. Despite HMAC signature validation, authentication tokens are exposed in frontend HTML, enabling exploitation. …

Remediation

Within 24 hours: Disable or remove Optimole plugin ≤4.2.2 immediately; if critical to operations, restrict REST API access via .htaccess or firewall rules to trusted IPs only. Within 7 days: Monitor WordPress options table and transients for suspicious entries; audit admin accounts for unauthorized activity; review access logs for /wp-json/optimole/v1/optimizations requests. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: 0

EUVD-2026-21662 vulnerability details – vuln.today

Back

EUVD-2026-21662

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-21662

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code