CVE-2026-2712 MEDIUM

CVE-2026-2712: WP-Optimize <= 4.5.0 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update and Image Manipulation

Vendor Davidanderson
Product WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Weakness CWE-863 · Incorrect authorization
Published April 10, 2026
Last update April 10, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the `receive_heartbeat()` function in `includes/class-wp-optimize-heartbeat.php` in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly invoking `Updraft_Smush_Manager_Commands` methods without verifying user capabilities, nonce tokens, or the allowed commands whitelist that the normal AJAX handler (`updraft_smush_ajax`) enforces. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-only Smush operations including reading log files (`get_smush_logs`), deleting all backup images (`clean_all_backup_images`), triggering bulk image processing (`process_bulk_smush`), and modifying Smush options (`update_smush_options`).

Explanation of Vulnerability in Simple Terms

02Summary

WP-Optimize versions up to 4.5.0 contain an authorization flaw that allows authenticated users with low privileges to modify site data. An attacker with a standard user account can alter or delete cached content and database records without proper permission checks. This affects the plugin's core caching and optimization functions.

What an attacker can do

03Attacker Capabilities

Modify or delete cached content and database records with a low-privilege user account.

Potential impact on your site

04Site Impact

Site performance data, cache integrity, and database optimization settings can be altered by any authenticated user, potentially degrading site speed and stability.

Conditions required to exploit

05Prerequisites

Attacker must have a valid WordPress user account with low-level permissions (e.g., Subscriber or Contributor role).

Key dates

06Disclosure timeline

April 10, 2026 CVE published
April 10, 2026 Record updated