Skip to main content

Optimole Optimize Images Convert Webp Avif Cdn Lazy Load Image Optimization

1 CVEs product

Monthly

CVE-2026-11784 MEDIUM This Month

Cross-Site Request Forgery in the Optimole WordPress plugin (all versions through 4.2.6) allows unauthenticated remote attackers to overwrite existing media attachment files by forging multipart POST requests targeting the replace_file function, provided the attacker can socially engineer a WordPress user with at least Author-level access into clicking a crafted link. The missing nonce validation in the attachment_edit.php handler means the server cannot distinguish legitimate requests from forged ones, enabling arbitrary content injection into any attachment the victim can edit. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the Wordfence disclosure provides full technical detail including source line references, lowering the bar for weaponization.

CSRF WordPress Optimole Optimize Images Convert Webp Avif Cdn Lazy Load Image Optimization
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Optimole WordPress plugin (all versions through 4.2.6) allows unauthenticated remote attackers to overwrite existing media attachment files by forging multipart POST requests targeting the replace_file function, provided the attacker can socially engineer a WordPress user with at least Author-level access into clicking a crafted link. The missing nonce validation in the attachment_edit.php handler means the server cannot distinguish legitimate requests from forged ones, enabling arbitrary content injection into any attachment the victim can edit. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the Wordfence disclosure provides full technical detail including source line references, lowering the bar for weaponization.

CSRF WordPress Optimole Optimize Images Convert Webp Avif Cdn Lazy Load Image Optimization
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy