Volerion logoVolerion
Volerion logoVolerion

ShortPixel Image Optimizer WordPress Plugin Stored Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in the ShortPixel Image Optimizer plugin for WordPress, affecting all versions up to and including 6.4.3. The issue arises from inadequate output escaping in the 'getEditorPopup()' function and the associated 'media-popup.php' template. The vulnerability allows authors to inject malicious scripts into attachment titles via the REST API, which are then executed when a higher-privileged user opens the ShortPixel AI editor for the affected attachment.

Impact

Exploitation of this vulnerability allows for authenticated users with author-level access to inject scripts that are executed in the context of users with higher privileges, such as administrators.

Reproduction

To reproduce this vulnerability, an authenticated user with author-level access can upload an attachment and set a title that includes a script payload. This can be done through the WordPress REST API. Once the attachment is uploaded, the user can open the ShortPixel AI editor popup for that attachment, at which point the injected script will be executed.

Remediation

Users are advised to update the ShortPixel Image Optimizer plugin to version 6.4.4, which addresses this vulnerability.

Added: Mar 26, 2026, 4:21 AM
Updated: Mar 26, 2026, 4:21 AM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
5.4
exploitability
6.2
remediation
7.7
relevance
4.7
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.