What the vulnerability does
01Description
The Optimole – Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get_current_url() function, which are inserted into JavaScript code via str_replace() without proper JavaScript context escaping in the replace_content() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
02Summary
Optimole versions up to 4.2.3 contain a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into the site. An attacker can craft a malicious link that, when clicked by a site visitor or administrator, executes JavaScript in their browser. This can lead to session hijacking, credential theft, or malware distribution. The vulnerability affects the site's scope, meaning the attack can impact other parts of the WordPress environment.
What an attacker can do
03Attacker Capabilities
Inject and execute malicious JavaScript in visitors' browsers via a crafted link.
Potential impact on your site
04Site Impact
Visitors and admins clicking malicious links could have sessions hijacked, credentials stolen, or be redirected to malware.
Conditions required to exploit
05Prerequisites
A site visitor or administrator must click a malicious link; no authentication required.
Key dates
06Disclosure timeline
April 11, 2026
CVE published
April 13, 2026
Record updated
