CVE-2026-4335 MEDIUM

CVE-2026-4335: ShortPixel Image Optimizer <= 6.4.3 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title

Vendor Shortpixel
Product ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Weakness CWE-79 · XSS
Published March 26, 2026
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment.

Explanation of Vulnerability in Simple Terms

02Summary

ShortPixel Image Optimizer versions up to 6.4.3 contain a stored cross-site scripting (XSS) vulnerability. An authenticated user with low privileges can inject malicious scripts that execute in the browsers of other site users, including administrators. The vulnerability requires user interaction to trigger. Upgrade to a version newer than 6.4.3 to remediate.

What an attacker can do

03Attacker Capabilities

Inject malicious scripts that run in other users' browsers, potentially stealing session tokens or admin credentials.

Potential impact on your site

04Site Impact

Attackers with basic site access can compromise admin accounts and take control of your site through stored XSS attacks.

Conditions required to exploit

05Prerequisites

Attacker needs a low-privilege account (e.g., subscriber or contributor) and must trick a user into visiting a page with the payload.

Key dates

06Disclosure timeline

March 26, 2026 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2026-4730 Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'chartid' Shortcode Attribute CVE-2025-26746 WordPress Advanced Custom Fields: Link Picker Field plugin <= 1.2.8 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-58235 WordPress Front End Users plugin <= 3.2.35 - Cross Site Scripting (XSS) vulnerability CVE-2025-22818 WordPress S3Player plugin <= 4.2.1 - Cross Site Scripting (XSS) vulnerability CVE-2025-49427 WordPress Abbie Expander plugin <= 1.0.1 - Cross Site Scripting (XSS) Vulnerability