{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5226", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-31T13:15:00.960Z", "datePublished": "2026-04-11T01:24:57.542Z", "dateUpdated": "2026-04-13T12:27:49.136Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-13T12:03:32.736Z"}, "affected": [{"vendor": "optimole", "product": "Optimole \u2013 Optimize Images in Real Time", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.2.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Optimole \u2013 Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get_current_url() function, which are inserted into JavaScript code via str_replace() without proper JavaScript context escaping in the replace_content() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Optimole <= 4.2.3 - Reflected Cross-Site Scripting via Page Profiler URL", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/112cea93-fa4b-4692-8c8b-e74255f61939?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/manager.php#L459"}, {"url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/manager.php#L459"}, {"url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/manager.php#L542"}, {"url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/manager.php#L542"}, {"url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/admin.php#L1012"}, {"url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/admin.php#L1012"}, {"url": "https://plugins.trac.wordpress.org/changeset/3498040/optimole-wp/trunk/inc/manager.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Foptimole-wp/tags/4.2.3&new_path=%2Foptimole-wp/tags/4.2.4"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ali Cem Havare"}, {"lang": "en", "type": "finder", "value": "Sencer K\u0131l\u0131\u00e7"}, {"lang": "en", "type": "finder", "value": "Cesi De Taranto"}], "timeline": [{"time": "2026-03-31T13:30:49.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-10T11:39:59.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T12:27:26.737479Z", "id": "CVE-2026-5226", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T12:27:49.136Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5226", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T12:27:26.737479Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T12:27:41.879Z"}}], "cna": {"title": "Optimole <= 4.2.3 - Reflected Cross-Site Scripting via Page Profiler URL", "credits": [{"lang": "en", "type": "finder", "value": "Ali Cem Havare"}, {"lang": "en", "type": "finder", "value": "Sencer K\u0131l\u0131\u00e7"}, {"lang": "en", "type": "finder", "value": "Cesi De Taranto"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "optimole", "product": "Optimole \u2013 Optimize Images in Real Time", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.2.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-31T13:30:49.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-10T11:39:59.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/112cea93-fa4b-4692-8c8b-e74255f61939?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/manager.php#L459"}, {"url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/manager.php#L459"}, {"url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/manager.php#L542"}, {"url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/manager.php#L542"}, {"url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/admin.php#L1012"}, {"url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/admin.php#L1012"}, {"url": "https://plugins.trac.wordpress.org/changeset/3498040/optimole-wp/trunk/inc/manager.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Foptimole-wp/tags/4.2.3&new_path=%2Foptimole-wp/tags/4.2.4"}], "descriptions": [{"lang": "en", "value": "The Optimole \u2013 Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get_current_url() function, which are inserted into JavaScript code via str_replace() without proper JavaScript context escaping in the replace_content() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-13T12:03:32.736Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5226", "state": "PUBLISHED", "dateUpdated": "2026-04-13T12:27:49.136Z", "dateReserved": "2026-03-31T13:15:00.960Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-11T01:24:57.542Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Optimole \u2013 Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get_current_url() function, which are inserted into JavaScript code via str_replace() without proper JavaScript context escaping in the replace_content() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "id": "CVE-2026-5226", "lastModified": "2026-04-24T18:00:32.033", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-11T02:16:03.120", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/admin.php#L1012"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/manager.php#L459"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/manager.php#L542"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/admin.php#L1012"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/manager.php#L459"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/manager.php#L542"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3498040/optimole-wp/trunk/inc/manager.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Foptimole-wp/tags/4.2.3&new_path=%2Foptimole-wp/tags/4.2.4"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/112cea93-fa4b-4692-8c8b-e74255f61939?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Optimole \u2013 Optimize Images in Real Time", "source": "cna", "vendor": "optimole"}, "product": "optimole_\u2013_optimize_images_in_real_time", "vendor": "optimole"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-11T02:22:56.994996+00:00", "value": {"mitigation_remediation": ["Update the Optimole plugin to version 4.2.4 or later, which contains the XSS fix.", "If an update cannot be applied immediately, disable or restrict access to the page profiler URL feature to prevent exploitation.", "Verify that the commercial or open\u2011source host does not expose the vulnerable endpoint before making the site publicly accessible.", "Continue to monitor security advisories from Optimole for any additional mitigations or updates."], "summary": {"action": "Immediate Patch", "impact": "Reflected Cross\u2011Site Scripting that can execute arbitrary JavaScript in a visitor\u2019s browser"}, "threat_synthesis": {"affected_systems": "Any WordPress installation that uses the Optimole plugin, version 4.2.3 or earlier, is affected. The flaw resides in the page profiler URL handling within the plugin\u2019s admin and manager modules. Users of these versions should assume the entire WordPress site is vulnerable to XSS through that specific endpoint.", "description_and_impact": "The Optimole \u2013 Optimize Images in Real Time plugin for WordPress is vulnerable to a reflected cross\u2011site scripting (XSS) flaw. Insufficient escaping of user\u2011supplied URL paths in the get_current_url() function leads to arbitrary JavaScript being injected into the page. An attacker can insert malicious code that will run in the browser of anyone who visits the crafted URL, potentially enabling cookie theft, session hijacking, defacement or other client\u2011side compromise.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a medium severity vulnerability. An unauthenticated attacker can exploit it via a crafted link that a victim clicks, without needing special permissions. EPSS data is not available, and the flaw is not currently listed in the CISA KEV catalog, but the lack of exploitation data does not eliminate risk. The vulnerability is exploitable in a true web\u2011based environment and can be triggered remotely by any user who follows the malicious link."}}}}, "created": "2026-04-13T12:42:02.202951+00:00", "updated": "2026-04-13T12:56:46.629272+00:00", "vendors": ["optimole", "optimole$PRODUCT$optimole_\u2013_optimize_images_in_real_time", "wordpress", "wordpress$PRODUCT$wordpress"]}