Stored Cross-Site Scripting in Optimole Plugin for WordPress
CVE-2026-5217

7.2HIGH

Key Information:

Vendor: WordPress
Status: Optimole – Optimize Images In Real Time
Vendor: CVE Published:; 11 April 2026

What is CVE-2026-5217?

The Optimole plugin for WordPress is vulnerable to a Stored Cross-Site Scripting attack due to insufficient input sanitization of the 's' parameter in the REST endpoint /wp-json/optimole/v1/optimizations. This vulnerability allows unauthenticated attackers to execute arbitrary web scripts on affected sites. The issue arises because the plugin stores the user-supplied descriptor without proper escaping, allowing malicious scripts to be injected into the srcset attribute on pages viewed by users. Proper security practices must be adopted to prevent such vulnerabilities, emphasizing the importance of thorough input validation and output sanitization.

Affected Version(s)

Optimole – Optimize Images in Real Time 0 <= 4.2.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/optimole-wp/tr...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 11, 2026
Vulnerability Reserved
Mar 31, 2026

Credit

Quốc Huy

CVE-2026-5217 Data

JSON