Volerion logoVolerion
Volerion logoVolerion

ShortPixel Image Optimizer Path Traversal Vulnerability Allowing Arbitrary File Read

Vulnerability

A path traversal vulnerability allowing arbitrary file read has been identified in the ShortPixel Image Optimizer plugin for WordPress, affecting all versions through 6.4.2. This vulnerability arises from inadequate path validation and sanitization in the 'loadLogFile' AJAX action, enabling authenticated attackers with Editor-level access or higher to read arbitrary files on the server. Such files may contain sensitive information, including database credentials and authentication keys.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, potentially exposing critical information such as database credentials and authentication keys.

Reproduction

To reproduce this vulnerability, an authenticated user with Editor-level access or higher can send a request to the 'loadLogFile' AJAX action, including a crafted 'loadFile' parameter that exploits the path traversal flaw. This request can be made through the WordPress admin interface or via a custom script that interacts with the WordPress AJAX API.

Remediation

Users are advised to update the ShortPixel Image Optimizer plugin to version 6.4.3 or a newer patched version.

Added: Feb 5, 2026, 7:20 AM
Updated: Feb 5, 2026, 3:24 PM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
3.3
exploitability
6.4
remediation
7.7
relevance
2.8
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.