CVE-2026-5217
Received Received - Intake
Stored XSS in Optimole WordPress Plugin via Unauthenticated REST Endpoint

Publication date: 2026-04-11

Last updated on: 2026-04-11

Assigner: Wordfence

Description
The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied 's' parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. The endpoint validates requests using an HMAC signature and timestamp, but these values are exposed directly in the frontend HTML making them accessible to any visitor. The plugin uses sanitize_text_field() on the descriptor value of rest.php, which strips HTML tags but does not escape double quotes. The poisoned descriptor is then stored via transients (backed by the WordPress options table) and later retrieved and injected verbatim into the srcset attribute of tag_replacer.php without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-11
Last Modified
2026-04-11
Generated
2026-06-16
AI Q&A
2026-04-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5217
EUVD
EUVD-2026-21662
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
optimole optimole to 4.2.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Optimole WordPress plugin (versions up to 4.2.2) and is a Stored Cross-Site Scripting (XSS) issue. It arises because the plugin does not properly sanitize and escape user input on the 's' parameter (srcset descriptor) in the unauthenticated REST endpoint /wp-json/optimole/v1/optimizations.

Although the endpoint uses an HMAC signature and timestamp for validation, these values are exposed in the frontend HTML, making them accessible to any visitor. The plugin uses sanitize_text_field() which removes HTML tags but does not escape double quotes, allowing attackers to inject malicious scripts.

The malicious input is stored via transients in the WordPress options table and later injected directly into the srcset attribute without proper escaping, enabling arbitrary script execution whenever a user accesses the affected page.

Impact Analysis

This vulnerability allows unauthenticated attackers to inject and store malicious scripts that execute in the browsers of users visiting the affected site.

  • It can lead to theft of user credentials or session tokens.
  • It may enable attackers to perform actions on behalf of users (such as changing settings or stealing data).
  • It can damage the reputation of the affected website by exposing visitors to malicious content.
Detection Guidance

Detection of this vulnerability involves checking for the presence of malicious scripts injected via the 's' parameter in the /wp-json/optimole/v1/optimizations REST endpoint. Since the vulnerability allows stored cross-site scripting through the srcset descriptor, inspecting HTTP requests and responses for suspicious or unexpected script content in the srcset attribute can help identify exploitation attempts.

You can use network monitoring tools or command-line utilities to capture and analyze HTTP traffic to the vulnerable endpoint.

  • Use curl or wget to fetch the REST endpoint and inspect the 's' parameter in the response, for example: curl -v https://yourwordpresssite.com/wp-json/optimole/v1/optimizations
  • Use grep or similar tools to search for suspicious script tags or unusual content in the srcset attribute within the WordPress options table or transient storage in the database.
  • Scan your WordPress database options table for entries containing script tags or suspicious payloads injected via the 's' parameter.
Mitigation Strategies

Immediate mitigation steps include updating the Optimole plugin to a version later than 4.2.2 where this vulnerability is fixed.

If an update is not immediately possible, consider disabling the Optimole plugin temporarily to prevent exploitation.

Additionally, review and sanitize any stored data in the WordPress options table or transient storage that may contain malicious scripts injected via the vulnerable parameter.

Implement Web Application Firewall (WAF) rules to block suspicious requests targeting the /wp-json/optimole/v1/optimizations endpoint.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5217. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart