CVE-2026-5217
Stored XSS in Optimole WordPress Plugin via Unauthenticated REST Endpoint
Publication date: 2026-04-11
Last updated on: 2026-04-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| optimole | optimole | to 4.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for the presence of malicious scripts injected via the 's' parameter in the /wp-json/optimole/v1/optimizations REST endpoint. Since the vulnerability allows stored cross-site scripting through the srcset descriptor, inspecting HTTP requests and responses for suspicious or unexpected script content in the srcset attribute can help identify exploitation attempts.
You can use network monitoring tools or command-line utilities to capture and analyze HTTP traffic to the vulnerable endpoint.
- Use curl or wget to fetch the REST endpoint and inspect the 's' parameter in the response, for example: curl -v https://yourwordpresssite.com/wp-json/optimole/v1/optimizations
- Use grep or similar tools to search for suspicious script tags or unusual content in the srcset attribute within the WordPress options table or transient storage in the database.
- Scan your WordPress database options table for entries containing script tags or suspicious payloads injected via the 's' parameter.
Can you explain this vulnerability to me?
The vulnerability exists in the Optimole WordPress plugin (versions up to 4.2.2) and is a Stored Cross-Site Scripting (XSS) issue. It arises because the plugin does not properly sanitize and escape user input on the 's' parameter (srcset descriptor) in the unauthenticated REST endpoint /wp-json/optimole/v1/optimizations.
Although the endpoint uses an HMAC signature and timestamp for validation, these values are exposed in the frontend HTML, making them accessible to any visitor. The plugin uses sanitize_text_field() which removes HTML tags but does not escape double quotes, allowing attackers to inject malicious scripts.
The malicious input is stored via transients in the WordPress options table and later injected directly into the srcset attribute without proper escaping, enabling arbitrary script execution whenever a user accesses the affected page.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to inject and store malicious scripts that execute in the browsers of users visiting the affected site.
- It can lead to theft of user credentials or session tokens.
- It may enable attackers to perform actions on behalf of users (such as changing settings or stealing data).
- It can damage the reputation of the affected website by exposing visitors to malicious content.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Optimole plugin to a version later than 4.2.2 where this vulnerability is fixed.
If an update is not immediately possible, consider disabling the Optimole plugin temporarily to prevent exploitation.
Additionally, review and sanitize any stored data in the WordPress options table or transient storage that may contain malicious scripts injected via the vulnerable parameter.
Implement Web Application Firewall (WAF) rules to block suspicious requests targeting the /wp-json/optimole/v1/optimizations endpoint.