{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1319", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-22T00:47:13.386Z", "datePublished": "2026-02-05T08:25:43.231Z", "dateUpdated": "2026-04-08T16:43:09.605Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:09.605Z"}, "affected": [{"vendor": "themeisle", "product": "Robin Image Optimizer \u2013 Unlimited Image Optimization & WebP Converter", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Robin Image Optimizer \u2013 Unlimited Image Optimization & WebP Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of a Media Library image in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Robin Image Optimizer <= 2.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Alternative Text Field", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/288cd86b-8d13-46bf-99ef-76698cd62a41?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3445467/robin-image-optimizer/tags/2.0.3/libs/addons/includes/classes/webp/vendor/rosell-dk/dom-util-for-webp/src/PictureTags.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Vincent Theriault-Laine"}], "timeline": [{"time": "2026-01-22T01:03:33.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-04T19:32:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T15:04:08.798174Z", "id": "CVE-2026-1319", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T15:04:21.778Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1319", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T15:04:08.798174Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T15:04:13.491Z"}}], "cna": {"title": "Robin Image Optimizer <= 2.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Alternative Text Field", "credits": [{"lang": "en", "type": "finder", "value": "Vincent Theriault-Laine"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "themeisle", "product": "Robin Image Optimizer \u2013 Unlimited Image Optimization & WebP Converter", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-22T01:03:33.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-04T19:32:21.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/288cd86b-8d13-46bf-99ef-76698cd62a41?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3445467/robin-image-optimizer/tags/2.0.3/libs/addons/includes/classes/webp/vendor/rosell-dk/dom-util-for-webp/src/PictureTags.php"}], "descriptions": [{"lang": "en", "value": "The Robin Image Optimizer \u2013 Unlimited Image Optimization & WebP Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of a Media Library image in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:09.605Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1319", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:43:09.605Z", "dateReserved": "2026-01-22T00:47:13.386Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-05T08:25:43.231Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Robin Image Optimizer \u2013 Unlimited Image Optimization & WebP Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of a Media Library image in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Robin Image Optimizer \u2013 Unlimited Image Optimization &amp; WebP Converter para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del campo 'Texto Alternativo' de una imagen de la librer\u00eda de medios en todas las versiones hasta la 2.0.2, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de Autor y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1319", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-05T09:15:50.643", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3445467/robin-image-optimizer/tags/2.0.3/libs/addons/includes/classes/webp/vendor/rosell-dk/dom-util-for-webp/src/PictureTags.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/288cd86b-8d13-46bf-99ef-76698cd62a41?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T21:23:22.277123+00:00", "value": {"mitigation_remediation": ["Update the Robin Image Optimizer plugin to version 2.0.3 or later, which includes proper sanitization and escaping for the alternative text field.", "If an immediate upgrade is not possible, scan the Media Library and manually remove or neutralise malicious code from the Alternative Text of all images that have been edited by susceptible users.", "Adjust WordPress role capabilities to prevent Authors from editing image metadata \u2013 restrict this ability to Administrators only, or use a plugin to enforce stricter access controls."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting (XSS) via image alternative text"}, "threat_synthesis": {"affected_systems": "All WordPress sites that have the Robin Image Optimizer \u2013 Unlimited Image Optimization & WebP Converter plugin installed in versions 2.0.2 or earlier are affected. The plugin is provided by Themeisle and used to optimize images in WordPress Media Library; any user with Author or higher role who can edit images may exploit the flaw.", "description_and_impact": "The vulnerability arises from inadequate sanitization and escaping of the \"Alternative Text\" field for images in the Media Library of the Robin Image Optimizer plugin. This flaw gives an attacker the ability to inject arbitrary JavaScript that is stored and rendered whenever that image is displayed, leading to XSS attacks on visitors to webpages that use the image. The impact is primarily on confidentiality and integrity of user sessions, potentially allowing credential theft, session hijacking, or defacement within the affected site.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.4, indicating a moderate risk. The EPSS score is below 1 percent, showing a very low likelihood of exploitation at present, and it is not listed in the KEV catalog. The exploit requires an authenticated user with Author or higher privileges to edit an image\u2019s alternative text, inject malicious code, and then have that image displayed on any page. Given the need for legitimate author access, the attack surface is limited to sites with multiple authors or where site administrators grant media editing rights to non\u2011admin roles."}}}}, "created": "2026-02-06T12:05:45.835021+00:00", "updated": "2026-04-15T21:30:13.895279+00:00", "vendors": ["themeisle", "themeisle$PRODUCT$robin_image_optimizer_\u2013_unlimited_image_optimization_&_webp_converter", "wordpress", "wordpress$PRODUCT$wordpress"]}