The WP-Optimize plugin for WordPress contains an authorization bypass vulnerability (CWE-863) in the receive_heartbeat() function located in includes/class-wp-optimize-heartbeat.php. This function invokes Updraft_Smush_Manager_Commands methods directly without validating user permissions, nonce tokens, or allowed commands. As a result, authenticated users with Subscriber-level privileges or higher can execute admin-only Smush plugin commands such as get_smush_logs, clean_all_backup_images, process_bulk_smush, and update_smush_options. This flaw affects all versions up to and including 4.5.0 of the plugin.

The vulnerability allows authenticated users with low-level privileges (Subscriber or above) to perform administrative Smush plugin operations that should be restricted. This can lead to unauthorized modification of plugin settings, deletion of backup images, initiation of bulk image processing, and access to log files. The impact is limited to integrity and availability aspects of the Smush plugin functionality, with no direct confidentiality impact reported. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, low integrity impact, and low availability impact.

Patch status is not yet confirmed — no official fix or vendor advisory is provided in the available data. Users should monitor the vendor's official channels for updates and apply any forthcoming patches promptly. Until a fix is available, restrict plugin access to trusted users only and consider disabling the affected functionality if possible. Avoid granting Subscriber-level or higher access to untrusted users. No specific temporary mitigations are documented in the provided information.