CVE-2026-4335: ShortPixel Image Optimizer XSS Vulnerability

CVE-2026-4335 Overview

The ShortPixel Image Optimizer plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 6.4.3. The vulnerability exists due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139).

Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment.

Critical Impact

Authenticated attackers with Author-level privileges can execute arbitrary JavaScript in the context of administrator sessions, potentially leading to complete site compromise, administrative account takeover, or malicious plugin installation.

Affected Products

• ShortPixel Image Optimizer plugin for WordPress versions up to and including 6.4.3
• WordPress installations with ShortPixel Image Optimizer plugin enabled
• Sites where users with Author-level or above access can upload media attachments

Discovery Timeline

• 2026-03-26 - CVE CVE-2026-4335 published to NVD
• 2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-4335

Vulnerability Analysis

This Stored Cross-Site Scripting vulnerability stems from a classic output encoding failure in WordPress plugin development. The vulnerability chain begins when the plugin retrieves attachment metadata using get_post() in the AjaxController.php file at line 435. The retrieved post_title field is then passed directly to the view layer at line 449 without any sanitization or encoding.

The critical security failure occurs in media-popup.php at line 139, where the attachment title is rendered directly into an HTML input element's value attribute. Without proper escaping via WordPress's esc_attr() function, an attacker can include double-quote characters in the attachment title to break out of the HTML attribute context and inject malicious JavaScript event handlers.

The attack is particularly dangerous because it targets privilege escalation through social engineering. A lower-privileged Author user can poison an attachment title, and when an Administrator interacts with the ShortPixel popup for that attachment, the malicious script executes in the administrator's authenticated session context.

Root Cause

The root cause is missing output escaping in the template rendering layer. WordPress security best practices require all dynamic content rendered into HTML attributes to be escaped using esc_attr(). The absence of this escaping in media-popup.php allows user-controlled data from the database to be interpreted as HTML/JavaScript rather than plain text.

The vulnerability is exacerbated by WordPress's REST API, which permits Authors to set arbitrary attachment titles containing special characters like double-quotes, enabling the attribute breakout attack vector.

Attack Vector

The attack leverages network-accessible WordPress REST API endpoints, requiring the attacker to be authenticated with at least Author-level privileges. The attack flow proceeds as follows:

1. An authenticated Author uploads a media attachment or modifies an existing one
2. The attacker crafts a malicious post_title containing double-quote characters to escape the HTML attribute, followed by JavaScript event handlers (e.g., onfocus, onmouseover)
3. The poisoned attachment is stored in the WordPress database
4. When an Administrator opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the compromised attachment, the malicious JavaScript executes in their browser session
5. The attacker's script runs with administrator privileges, potentially enabling session hijacking, administrative actions, or persistent backdoor installation

The vulnerability requires user interaction from a higher-privileged user viewing the poisoned content, which is reflected in the CVSS scoring. The attack vector is network-based with low complexity but requires prior authentication.

Detection Methods for CVE-2026-4335

Indicators of Compromise

• Unusual attachment titles in the WordPress media library containing special characters like double-quotes, angle brackets, or JavaScript keywords
• Unexpected JavaScript execution or browser console errors when accessing ShortPixel editor popups
• Modified attachment records with post_title values containing HTML event handler patterns (e.g., onfocus=, onmouseover=, onerror=)
• Unauthorized administrative actions that correlate with administrators viewing media attachments

Detection Strategies

• Implement Content Security Policy (CSP) headers to detect and block inline script execution from XSS payloads
• Monitor WordPress database wp_posts table for attachment titles containing suspicious patterns like ", <script>, or JavaScript event handlers
• Enable browser-side XSS auditing and review console logs for blocked script execution attempts
• Deploy Web Application Firewall (WAF) rules to detect XSS patterns in REST API requests to attachment endpoints

Monitoring Recommendations

• Configure alerting for modifications to media attachment titles via the WordPress REST API
• Monitor administrator sessions for unusual activity patterns following media library access
• Review audit logs for privilege escalation attempts or unauthorized plugin/theme installations
• Implement real-time JavaScript execution monitoring on administrative WordPress pages

How to Mitigate CVE-2026-4335

Immediate Actions Required

• Update the ShortPixel Image Optimizer plugin to the latest patched version immediately
• Audit all existing media attachment titles in the WordPress database for suspicious content containing XSS payloads
• Restrict Author-level access temporarily if immediate patching is not possible
• Implement Content Security Policy headers to mitigate JavaScript execution from stored XSS

Patch Information

The vulnerability has been addressed in versions after 6.4.3. Review the ShortPixel Image Optimiser Changeset for specific code changes implementing proper output escaping. The fix involves adding esc_attr() escaping to the attachment title before rendering it into the HTML attribute context.

Additional technical details are available in the Wordfence Vulnerability Report, the AjaxController.php source, and the media-popup.php template.

Workarounds

• Temporarily disable the ShortPixel Image Optimizer plugin until the patch can be applied
• Remove Author-level user permissions to prevent exploitation by untrusted users
• Implement a Web Application Firewall rule to filter requests containing XSS patterns in attachment title fields
• Add Content Security Policy headers with strict script-src directives to block inline script execution

# Configuration example
# Add CSP header to WordPress .htaccess or nginx configuration
# Apache .htaccess
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';"

# Nginx configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';" always;

# SQL query to audit media attachments for suspicious titles
# Run in WordPress database to identify potentially compromised attachments
SELECT ID, post_title FROM wp_posts 
WHERE post_type = 'attachment' 
AND (post_title LIKE '%"%' 
     OR post_title LIKE '%<%' 
     OR post_title LIKE '%onfocus%' 
     OR post_title LIKE '%onmouseover%'
     OR post_title LIKE '%onerror%');