Unauthorized Functionality Access in WP-Optimize Plugin for WordPress
CVE-2026-2712

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: WP-optimize – Cache, Compress Images, Minify & Clean Database To Boost Page Speed & Performance
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-2712?

The WP-Optimize plugin for WordPress has a significant vulnerability that allows unauthorized users to access critical functionalities. This issue arises from insufficient capability checks within the receive_heartbeat() function, enabling authenticated attackers with Subscriber-level access and above to perform admin-only actions. These actions include reading sensitive logs, deleting backup images, invoking bulk image processing, and altering settings, all without the necessary permissions. This flaw highlights the necessity for robust security measures in plugin development to prevent unauthorized access.

Affected Version(s)

WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance 0 <= 4.5.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-optimize/ta...

https://plugins.trac.wordpress.org/browser/wp-optimize/tr...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Feb 18, 2026

Credit

Dmitrii Ignatyev

CVE-2026-2712 Data

JSON