What the vulnerability does
01Description
The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the `receive_heartbeat()` function in `includes/class-wp-optimize-heartbeat.php` in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly invoking `Updraft_Smush_Manager_Commands` methods without verifying user capabilities, nonce tokens, or the allowed commands whitelist that the normal AJAX handler (`updraft_smush_ajax`) enforces. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-only Smush operations including reading log files (`get_smush_logs`), deleting all backup images (`clean_all_backup_images`), triggering bulk image processing (`process_bulk_smush`), and modifying Smush options (`update_smush_options`).
Explanation of Vulnerability in Simple Terms
02Summary
WP-Optimize versions up to 4.5.0 contain an authorization flaw that allows authenticated users with low privileges to modify site data. An attacker with a standard user account can alter or delete cached content and database records without proper permission checks. This affects the plugin's core caching and optimization functions.
What an attacker can do
03Attacker Capabilities
Modify or delete cached content and database records with a low-privilege user account.
Potential impact on your site
04Site Impact
Site performance data, cache integrity, and database optimization settings can be altered by any authenticated user, potentially degrading site speed and stability.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with low-level permissions (e.g., Subscriber or Contributor role).
Key dates
06Disclosure timeline
April 10, 2026
CVE published
April 10, 2026
Record updated