Optimole Optimize Images Convert Webp Avif Cdn Lazy Load Image Optimization
Monthly
Cross-Site Request Forgery in the Optimole WordPress plugin (all versions through 4.2.6) allows unauthenticated remote attackers to overwrite existing media attachment files by forging multipart POST requests targeting the replace_file function, provided the attacker can socially engineer a WordPress user with at least Author-level access into clicking a crafted link. The missing nonce validation in the attachment_edit.php handler means the server cannot distinguish legitimate requests from forged ones, enabling arbitrary content injection into any attachment the victim can edit. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the Wordfence disclosure provides full technical detail including source line references, lowering the bar for weaponization.
Cross-Site Request Forgery in the Optimole WordPress plugin (all versions through 4.2.6) allows unauthenticated remote attackers to overwrite existing media attachment files by forging multipart POST requests targeting the replace_file function, provided the attacker can socially engineer a WordPress user with at least Author-level access into clicking a crafted link. The missing nonce validation in the attachment_edit.php handler means the server cannot distinguish legitimate requests from forged ones, enabling arbitrary content injection into any attachment the victim can edit. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the Wordfence disclosure provides full technical detail including source line references, lowering the bar for weaponization.