CVE-2026-4335: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in shortpixel ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment.
AI Analysis
Technical Summary
The ShortPixel Image Optimizer plugin for WordPress suffers from a stored XSS vulnerability due to insufficient output escaping in the getEditorPopup() function and media-popup.php template. The attachment's post_title is retrieved from the database and directly rendered into an HTML input element's value attribute without proper escaping (esc_attr()). Since WordPress allows Authors to set arbitrary attachment titles, including characters that can break HTML attributes, an attacker with Author-level privileges can inject JavaScript that executes when an administrator or other higher-privileged user opens the ShortPixel AI editor popup for that attachment. This vulnerability affects all versions up to and including 6.4.3.
Potential Impact
An attacker with Author-level access can inject arbitrary JavaScript into the ShortPixel AI editor popup, which executes in the context of higher-privileged users such as administrators. This can lead to session hijacking, privilege escalation, or other malicious actions within the WordPress admin interface. The vulnerability does not affect availability but impacts confidentiality and integrity.
Mitigation Recommendations
No official patch or fix is currently confirmed or provided by the vendor. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Author-level user capabilities to trusted users only and avoid opening the ShortPixel AI editor popup for attachments created by untrusted authors. Monitor vendor channels for updates and apply patches promptly once released.
CVE-2026-4335: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in shortpixel ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Description
The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The ShortPixel Image Optimizer plugin for WordPress suffers from a stored XSS vulnerability due to insufficient output escaping in the getEditorPopup() function and media-popup.php template. The attachment's post_title is retrieved from the database and directly rendered into an HTML input element's value attribute without proper escaping (esc_attr()). Since WordPress allows Authors to set arbitrary attachment titles, including characters that can break HTML attributes, an attacker with Author-level privileges can inject JavaScript that executes when an administrator or other higher-privileged user opens the ShortPixel AI editor popup for that attachment. This vulnerability affects all versions up to and including 6.4.3.
Potential Impact
An attacker with Author-level access can inject arbitrary JavaScript into the ShortPixel AI editor popup, which executes in the context of higher-privileged users such as administrators. This can lead to session hijacking, privilege escalation, or other malicious actions within the WordPress admin interface. The vulnerability does not affect availability but impacts confidentiality and integrity.
Mitigation Recommendations
No official patch or fix is currently confirmed or provided by the vendor. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Author-level user capabilities to trusted users only and avoid opening the ShortPixel AI editor popup for attachments created by untrusted authors. Monitor vendor channels for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-17T14:15:42.197Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c574363c064ed76f968193
Added to database: 3/26/2026, 6:00:22 PM
Last enriched: 4/9/2026, 6:52:18 PM
Last updated: 5/10/2026, 9:14:21 AM
Views: 70
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.