CVE-2026-5217: WordPress Optimole Plugin XSS Vulnerability

CVE-2026-5217 Overview

CVE-2026-5217 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress. The vulnerability exists in all versions up to and including 4.2.2 and allows unauthenticated attackers to inject arbitrary web scripts into pages that execute whenever a user accesses the injected page.

The flaw stems from insufficient input sanitization and output escaping on the user-supplied s parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. While the endpoint validates requests using an HMAC signature and timestamp, these values are exposed directly in the frontend HTML, making them accessible to any visitor.

Critical Impact

Unauthenticated attackers can inject persistent malicious scripts that execute in the context of any user visiting affected pages, potentially leading to session hijacking, credential theft, or malware distribution.

Affected Products

• Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress versions up to and including 4.2.2

Discovery Timeline

• April 11, 2026 - CVE-2026-5217 published to NVD
• April 13, 2026 - Last updated in NVD database

Technical Details for CVE-2026-5217

Vulnerability Analysis

This Stored XSS vulnerability exploits a weakness in the Optimole plugin's handling of srcset descriptors within its image optimization REST API. The attack chain involves three key components within the plugin's codebase.

First, the /wp-json/optimole/v1/optimizations REST endpoint accepts unauthenticated requests that include an s parameter for srcset descriptors. Although the endpoint implements HMAC signature validation and timestamp verification to prevent tampering, these security tokens are inadvertently exposed in the frontend HTML source code. This exposure allows any visitor to observe and reuse valid signatures for malicious requests.

Second, the plugin applies sanitize_text_field() to the descriptor value in rest.php. While this WordPress function strips HTML tags, it critically fails to escape double quotes. This oversight allows specially crafted payloads containing double quotes to pass through the sanitization layer intact.

Third, the poisoned descriptor value is stored via WordPress transients (which are backed by the WordPress options table) and later retrieved by tag_replacer.php, where it is injected verbatim into the srcset attribute of image tags without proper output escaping. This allows the injected payload to break out of the attribute context and execute arbitrary JavaScript.

Root Cause

The root cause is a combination of inadequate input sanitization and missing output escaping. The sanitize_text_field() function used in rest.php does not escape double quotes, and tag_replacer.php fails to apply proper attribute escaping (such as esc_attr()) when outputting the stored descriptor into HTML attributes. This creates a classic stored XSS condition where malicious content persists across page loads.

Attack Vector

The attack can be executed remotely by any unauthenticated user. An attacker first observes the HMAC signature and timestamp values exposed in the frontend HTML of a site running the vulnerable plugin. Using these captured credentials, the attacker crafts a malicious request to the /wp-json/optimole/v1/optimizations endpoint with a payload-laden s parameter containing double quotes to escape the srcset attribute context and inject script content. The malicious payload is stored in the WordPress database via transients and subsequently served to all visitors who access pages where the poisoned image optimization data is rendered.

The vulnerability mechanism involves breaking out of the srcset attribute using double quotes, then injecting event handlers or script elements. Since the payload is stored server-side and rendered to all visitors, this constitutes a persistent XSS attack with broad impact across the affected WordPress site.

For technical implementation details, refer to the Optimole WP REST.php at Line 159, REST.php at Line 1008, and Tag Replacer at Line 526.

Detection Methods for CVE-2026-5217

Indicators of Compromise

• Unexpected JavaScript content or event handlers appearing within srcset attributes of <img> tags on pages served by WordPress sites using Optimole
• Anomalous POST requests to /wp-json/optimole/v1/optimizations containing suspicious patterns like double quotes followed by event handlers (e.g., onerror, onload)
• Transient values in the WordPress options table (wp_options with _transient_ prefix related to Optimole) containing script tags or JavaScript event handlers

Detection Strategies

• Implement Web Application Firewall (WAF) rules to inspect and block requests to Optimole REST endpoints containing XSS payloads or suspicious characters in the s parameter
• Configure Content Security Policy (CSP) headers with strict directives to mitigate the impact of injected scripts by restricting inline script execution
• Deploy file integrity monitoring on WordPress plugin files to detect unauthorized modifications to rest.php and tag_replacer.php

Monitoring Recommendations

• Monitor WordPress REST API access logs for unusual request patterns to /wp-json/optimole/v1/optimizations, particularly requests with encoded characters or script-like content
• Implement real-time alerting for database changes to Optimole-related transients that contain HTML or JavaScript content
• Enable browser-based XSS auditing and review client-side error logs for CSP violations that may indicate attempted exploitation

How to Mitigate CVE-2026-5217

Immediate Actions Required

• Update the Optimole plugin to a patched version above 4.2.2 immediately
• Audit WordPress transient data for any stored malicious payloads and clear potentially compromised Optimole transients
• Implement a WAF rule to block or sanitize requests to the vulnerable endpoint as a temporary measure if immediate patching is not possible
• Review site access logs for evidence of exploitation attempts and investigate any anomalous activity

Patch Information

A fix is available in versions newer than 4.2.2 of the Optimole plugin. The patch addresses the vulnerability by implementing proper output escaping using esc_attr() when rendering srcset attributes in tag_replacer.php and improving input validation in rest.php to escape or reject double quotes. For detailed patch analysis, refer to the Wordfence Vulnerability Report.

Workarounds

• Temporarily disable the Optimole plugin until a patch can be applied if image optimization is not mission-critical
• Implement server-level request filtering to block or sanitize the s parameter in requests to /wp-json/optimole/v1/optimizations
• Deploy strict Content Security Policy headers to prevent execution of injected scripts as a defense-in-depth measure

# Example: Add CSP header via Apache .htaccess
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' https://*.optimole.com; style-src 'self' 'unsafe-inline';"