CVE-2026-1246 is a path traversal vulnerability categorized under CWE-22 found in the ShortPixel Image Optimizer plugin for WordPress, which is widely used for image optimization and conversion to WebP and AVIF formats. The vulnerability exists in the 'loadLogFile' AJAX action, specifically in the handling of the 'loadFile' parameter. Due to insufficient validation and sanitization of this parameter, an authenticated attacker with Editor-level access or higher can manipulate the path input to traverse directories outside the intended restricted directory. This allows arbitrary file read on the server, potentially exposing sensitive files such as configuration files containing database credentials, authentication keys, or other sensitive data. The vulnerability affects all versions up to and including 6.4.2. Exploitation does not require user interaction but does require elevated privileges (Editor or above), limiting the attack surface to users with some level of trust on the WordPress site. The CVSS 3.1 base score is 4.9 (medium severity), reflecting the moderate impact and the requirement for authentication. No patches or fixes are currently linked, and no known exploits have been observed in the wild. The vulnerability highlights the importance of proper input validation and access control in WordPress plugins, especially those handling file system operations.

For European organizations, this vulnerability poses a risk of sensitive data exposure if the ShortPixel Image Optimizer plugin is deployed on their WordPress sites. Attackers with Editor-level access could read critical files, potentially leading to further compromise such as credential theft, lateral movement, or privilege escalation. This is particularly concerning for organizations with multiple content editors or contributors, increasing the likelihood of insider threats or compromised accounts. Exposure of database credentials or authentication keys could lead to data breaches or unauthorized access to backend systems. Although the vulnerability does not allow code execution or denial of service, the confidentiality impact is high. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, could face compliance and reputational risks if exploited. The medium CVSS score reflects the balance between the requirement for authentication and the high confidentiality impact.

1. Immediately restrict Editor-level and higher access to trusted users only, minimizing the risk of malicious exploitation. 2. Monitor and audit user accounts with Editor or Administrator privileges for suspicious activity or unauthorized access. 3. Implement strict file system permissions on the server to limit the exposure of sensitive files even if arbitrary file read is attempted. 4. Disable or remove the ShortPixel Image Optimizer plugin if it is not essential, or replace it with alternative plugins that have no known vulnerabilities. 5. Regularly check for updates from the vendor and apply patches promptly once available. 6. Employ Web Application Firewalls (WAF) with rules to detect and block path traversal attempts targeting the 'loadLogFile' AJAX action. 7. Conduct regular security assessments and penetration testing focused on WordPress plugins and their access controls. 8. Educate site administrators and editors about the risks of privilege misuse and the importance of strong authentication practices.