Search criteria
4 vulnerabilities by Optimole
CVE-2026-1843 (GCVE-0-2026-1843)
Vulnerability from cvelistv5 – Published: 2026-02-14 08:26 – Updated: 2026-02-14 08:26
VLAI?
Title
Super Page Cache <= 5.2.2 - Unauthenticated Stored Cross-Site Scripting via Activity Log
Summary
The Super Page Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Activity Log in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| optimole | Super Page Cache |
Affected:
* , ≤ 5.2.2
(semver)
|
Credits
Angus Girvan
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Super Page Cache",
"vendor": "optimole",
"versions": [
{
"lessThanOrEqual": "5.2.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angus Girvan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Super Page Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Activity Log in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T08:26:47.080Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a0c68e1e-5255-4e79-a6d9-a2021836e584?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3454474/wp-cloudflare-page-cache"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-03T18:10:31.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-13T19:48:00.000Z",
"value": "Disclosed"
}
],
"title": "Super Page Cache \u003c= 5.2.2 - Unauthenticated Stored Cross-Site Scripting via Activity Log"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1843",
"datePublished": "2026-02-14T08:26:47.080Z",
"dateReserved": "2026-02-03T17:55:03.309Z",
"dateUpdated": "2026-02-14T08:26:47.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11519 (GCVE-0-2025-11519)
Vulnerability from cvelistv5 – Published: 2025-10-18 06:42 – Updated: 2025-10-20 19:02
VLAI?
Title
Image optimization service by Optimole <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Author+) Media Offload
Summary
The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/move_image REST API endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to offload media that doesn't belong to them.
Severity ?
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| optimole | Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization |
Affected:
* , ≤ 4.1.0
(semver)
|
Credits
Dmitrii Ignatyev
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11519",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T19:02:41.179182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T19:02:49.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Optimole \u2013 Optimize Images | Convert WebP \u0026 AVIF | CDN \u0026 Lazy Load | Image Optimization",
"vendor": "optimole",
"versions": [
{
"lessThanOrEqual": "4.1.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Optimole \u2013 Optimize Images | Convert WebP \u0026 AVIF | CDN \u0026 Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/move_image REST API endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to offload media that doesn\u0027t belong to them."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-18T06:42:47.493Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9288ed60-b14b-4188-84d4-efe770093551?source=cve"
},
{
"url": "https://research.cleantalk.org/CVE-2025-11519"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3378645%40optimole-wp\u0026new=3378645%40optimole-wp\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-09T21:13:01.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-17T18:03:14.000+00:00",
"value": "Disclosed"
}
],
"title": "Image optimization service by Optimole \u003c= 4.1.0 - Insecure Direct Object Reference to Authenticated (Author+) Media Offload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11519",
"datePublished": "2025-10-18T06:42:47.493Z",
"dateReserved": "2025-10-08T17:29:21.851Z",
"dateUpdated": "2025-10-20T19:02:49.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4636 (GCVE-0-2024-4636)
Vulnerability from cvelistv5 – Published: 2024-05-15 06:51 – Updated: 2024-08-01 20:47
VLAI?
Title
Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF <= 3.12.10 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
Summary
The Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘allow_meme_types’ function in versions up to, and including, 3.12.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| optimole | Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF |
Affected:
* , ≤ 3.12.10
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-15T14:30:52.436266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:54:53.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:47:41.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be88566d-fc84-442d-bb34-834ad9f4465b?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/3.12.10/inc/admin.php#L1828"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3086306/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Image Optimization by Optimole \u2013 Lazy Load, CDN, Convert WebP \u0026 AVIF",
"vendor": "optimole",
"versions": [
{
"lessThanOrEqual": "3.12.10",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Image Optimization by Optimole \u2013 Lazy Load, CDN, Convert WebP \u0026 AVIF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018allow_meme_types\u2019 function in versions up to, and including, 3.12.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-15T06:51:55.715Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be88566d-fc84-442d-bb34-834ad9f4465b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/3.12.10/inc/admin.php#L1828"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3086306/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-14T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Image Optimization by Optimole \u2013 Lazy Load, CDN, Convert WebP \u0026 AVIF \u003c= 3.12.10 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4636",
"datePublished": "2024-05-15T06:51:55.715Z",
"dateReserved": "2024-05-07T23:39:11.915Z",
"dateUpdated": "2024-08-01T20:47:41.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27968 (GCVE-0-2024-27968)
Vulnerability from cvelistv5 – Published: 2024-03-21 16:58 – Updated: 2024-08-02 00:41
VLAI?
Title
WordPress Super Page Cache for Cloudflare plugin <= 4.7.5 - Cross Site Request Forgery (CSRF) to XSS vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Optimole Super Page Cache for Cloudflare allows Stored XSS.This issue affects Super Page Cache for Cloudflare: from n/a through 4.7.5.
Severity ?
7.1 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Optimole | Super Page Cache for Cloudflare |
Affected:
n/a , ≤ 4.7.5
(custom)
|
Credits
Majed Refaea (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-21T18:36:22.862869Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:38.460Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:41:55.957Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-cloudflare-page-cache/wordpress-super-page-cache-for-cloudflare-plugin-4-7-5-cross-site-request-forgery-csrf-to-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-cloudflare-page-cache",
"product": "Super Page Cache for Cloudflare",
"vendor": "Optimole",
"versions": [
{
"changes": [
{
"at": "4.7.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.7.5",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Majed Refaea (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Optimole Super Page Cache for Cloudflare allows Stored XSS.\u003cp\u003eThis issue affects Super Page Cache for Cloudflare: from n/a through 4.7.5.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Optimole Super Page Cache for Cloudflare allows Stored XSS.This issue affects Super Page Cache for Cloudflare: from n/a through 4.7.5.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-21T16:58:07.316Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wp-cloudflare-page-cache/wordpress-super-page-cache-for-cloudflare-plugin-4-7-5-cross-site-request-forgery-csrf-to-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 4.7.6 or a higher version."
}
],
"value": "Update to 4.7.6 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Super Page Cache for Cloudflare plugin \u003c= 4.7.5 - Cross Site Request Forgery (CSRF) to XSS vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-27968",
"datePublished": "2024-03-21T16:58:07.316Z",
"dateReserved": "2024-02-28T16:46:55.226Z",
"dateUpdated": "2024-08-02T00:41:55.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}