CVE-2026-2712
Received Received - Intake
Unauthorized Access in WP-Optimize Heartbeat Allows Admin Function Abuse

Publication date: 2026-04-10

Last updated on: 2026-04-10

Assigner: Wordfence

Description
The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the `receive_heartbeat()` function in `includes/class-wp-optimize-heartbeat.php` in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly invoking `Updraft_Smush_Manager_Commands` methods without verifying user capabilities, nonce tokens, or the allowed commands whitelist that the normal AJAX handler (`updraft_smush_ajax`) enforces. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-only Smush operations including reading log files (`get_smush_logs`), deleting all backup images (`clean_all_backup_images`), triggering bulk image processing (`process_bulk_smush`), and modifying Smush options (`update_smush_options`).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-10
Generated
2026-05-07
AI Q&A
2026-04-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2712
EUVD
EUVD-2026-21254
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_optimize wp_optimize to 4.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The WP-Optimize plugin for WordPress has a vulnerability in the receive_heartbeat() function where it fails to check user capabilities properly. This means that authenticated users with Subscriber-level access or higher can perform admin-only Smush operations without proper authorization.

  • The vulnerability arises because the Heartbeat handler calls Updraft_Smush_Manager_Commands methods directly without verifying user permissions, nonce tokens, or allowed commands.
  • As a result, unauthorized users can read log files, delete backup images, trigger bulk image processing, and modify Smush options.

How can this vulnerability impact me? :

This vulnerability allows attackers with low-level authenticated access to perform administrative actions on the Smush image optimization features of the WP-Optimize plugin.

  • Attackers can read sensitive log files that may contain information about the system or plugin operations.
  • They can delete all backup images, potentially causing data loss.
  • They can trigger bulk image processing, which could lead to resource exhaustion or service disruption.
  • They can modify Smush options, potentially changing plugin behavior or security settings.

Overall, this can lead to integrity and availability impacts on the affected WordPress site.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows authenticated attackers with Subscriber-level access and above to perform admin-only operations such as reading log files, deleting backup images, processing bulk images, and modifying plugin options without proper capability checks.

This unauthorized access to administrative functions could lead to potential data integrity and availability issues, which may impact compliance with standards like GDPR and HIPAA that require strict access controls and protection of sensitive data.

However, the provided information does not explicitly describe the direct impact on compliance with these regulations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart