CVE-2026-2712
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Summary
The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the receive_heartbeat() function in includes/class-wp-optimize-heartbeat.php in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly invoking Updraft_Smush_Manager_Commands methods without verifying user capabilities, nonce tokens, or the allowed commands whitelist that the normal AJAX handler (updraft_smush_ajax) enforces. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-only Smush operations including reading log files (get_smush_logs), deleting all backup images (clean_all_backup_images), triggering bulk image processing (process_bulk_smush), and modifying Smush options (update_smush_options).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| davidanderson | WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance | 0 <= 4.5.0 | affected |
Weaknesses
- CWE-863: CWE-863 Incorrect Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6a0a376e-ea3a-40ca-9341-f28f92e15e02?source=cve
- https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.4.1/includes/class-wp-optimize-heartbeat.php#L65
- https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-wp-optimize-heartbeat.php#L65
- https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.4.1/includes/class-wp-optimize-heartbeat.php#L82
- https://research.cleantalk.org/cve-2026-2712/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.