CVE-2026-11784
Received Received - Intake
Cross-Site Request Forgery in Optimole WordPress Plugin

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Wordfence

Description
The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replace_file function. This makes it possible for unauthenticated attackers to overwrite existing media attachments with attacker-supplied file content by supplying a forged multipart POST request targeting any attachment the victim has edit_post capability over via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The forged request requires a victim with at least Author-level privileges, as the handler enforces a current_user_can('edit_post', $id) check; tricking an Author-level or higher user into clicking a crafted link is sufficient to trigger the overwrite against attachments that user can edit.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-11784
EUVD
EUVD-2026-37848
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
optimole optimize_images to 4.2.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Optimole WordPress plugin (all versions up to 4.2.6) and is a Cross-Site Request Forgery (CSRF) issue. It occurs because the plugin's replace_file function lacks proper nonce validation. This allows an unauthenticated attacker to overwrite existing media attachments by sending a forged multipart POST request.

To exploit this, the attacker must trick a user with at least Author-level privileges into clicking a crafted link. The plugin checks if the user can edit the targeted post, so the attack only works if the victim has the capability to edit the attachment. Once triggered, the attacker can replace media files with malicious content.

Impact Analysis

This vulnerability can allow an attacker to overwrite media files on a WordPress site with attacker-supplied content. This could lead to the distribution of malicious files or altered media that could harm site visitors or damage the site's integrity.

Since the attack requires tricking an Author-level or higher user, it can result in unauthorized content changes without the victim's knowledge, potentially leading to defacement, malware distribution, or other malicious activities.

Mitigation Strategies

To mitigate this vulnerability, you should update the Optimole plugin to a version later than 4.2.6 where the Cross-Site Request Forgery issue has been fixed.

Additionally, ensure that users with Author-level or higher privileges are cautious about clicking on untrusted links, as the vulnerability requires tricking such users to perform the malicious action.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11784. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart