Threat Entry Updated 2026-04-13

CVE-2026-2712 - Wp Optimize Plugin

The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the `receive_heartbeat()` function in `includes/class-wp-optimize-heartbeat.php` in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly invoking `Updraft_Smush_Manager_Commands` methods without verifying user capabilities, nonce tokens, or the allowed commands whitelist that the normal AJAX handler (`updraft_smush_ajax`) enforces. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-only Smush operations including reading log files (`get_smush_logs`), deleting all backup images (`clean_all_backup_images`), triggering bulk image…

PLUGIN Wp Optimize

CVE-2026-2712

MEDIUM CVSS 5.4 2026-04-10

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-09

CVE-2025-3951 - Wp Optimize Plugin

The WP-Optimize WordPress plugin before 4.2.0 does not properly escape user input when checking image compression statuses, which could allow users with the administrator role to conduct SQL Injection attacks in the context of Multi-Site WordPress configurations.

PLUGIN Wp Optimize

CVE-2025-3951

MEDIUM CVSS 4.1 2025-06-02

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-01-06

CVE-2023-1119 - Wp Optimize Plugin

The WP-Optimize WordPress plugin before 3.2.13, SrbTransLatin WordPress plugin before 2.4.1 use a third-party library that removes the escaping on some HTML characters, leading to a cross-site scripting vulnerability.

PLUGIN Wp Optimize

CVE-2023-1119

MEDIUM CVSS 6.1 2023-07-10

Risk Score

Open Full Technical Breakdown