CVE-2026-11784
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
The Optimole plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 4.2.6. The issue arises from missing or incorrect nonce validation in the replace_file function, allowing unauthenticated attackers to overwrite existing media attachments.
Risk Assessment
Attackers can exploit this vulnerability to overwrite files on the server, potentially leading to data loss or the introduction of malware. The risk increases when administrators are tricked into performing actions that enable the attack.
Recommendation
It is recommended to update the Optimole plugin to the latest version to mitigate this vulnerability. Additionally, implementing extra security measures to minimize the risk of user deception is advisable.
Original NVD description (English source)
The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replace_file function. This makes it possible for unauthenticated attackers to overwrite existing media attachments with attacker-supplied file content by supplying a forged multipart POST request targeting any attachment the victim has edit_post capability over via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The forged request requires a victim with at least Author-level privileges, as the handler enforces a current_user_can('edit_post', $id) check; tricking an Author-level or higher user into clicking a crafted link is sufficient to trigger the overwrite against attachments that user can edit.

