CVE-2026-4335 is a stored Cross-Site Scripting (XSS) vulnerability identified in the ShortPixel Image Optimizer plugin for WordPress, affecting all versions up to and including 6.4.3. The vulnerability stems from improper neutralization of input during web page generation (CWE-79). Specifically, the plugin fails to properly escape the attachment post_title when rendering it into an HTML input element's value attribute within the getEditorPopup() function and the media-popup.php template. The post_title is retrieved from the database using get_post() in AjaxController.php and passed directly to the view template without esc_attr() escaping. Since WordPress allows users with Author-level permissions and above to set arbitrary attachment titles via the REST API, a malicious author can inject double-quote characters and JavaScript event handlers into the post_title. This crafted input breaks out of the HTML attribute context, enabling injection of arbitrary JavaScript code. The injected script executes when a higher-privileged user, such as an administrator, opens the ShortPixel AI editor popup (used for Background Removal or Image Upscale) for the poisoned attachment. This attack vector requires the attacker to have authenticated Author-level access and requires the victim to interact with the malicious attachment in the admin interface. The vulnerability does not affect unauthenticated users and does not lead to direct system compromise but can facilitate session hijacking, privilege escalation, or further attacks within the WordPress environment. The CVSS v3.1 base score is 5.4, indicating medium severity, with attack vector being network, low attack complexity, requiring privileges, and user interaction. No known exploits are currently in the wild, but the vulnerability is publicly disclosed and should be addressed promptly.

The primary impact of CVE-2026-4335 is the potential for authenticated attackers with Author-level access to inject persistent malicious JavaScript into the WordPress admin interface. This can lead to session hijacking, credential theft, or unauthorized actions performed with the privileges of higher-level users such as administrators. In multi-user WordPress environments, especially those with multiple content creators and editors, this vulnerability can be leveraged to escalate privileges or disrupt site management. While the vulnerability does not allow direct remote code execution or server compromise, the ability to execute arbitrary scripts in the context of an administrator's browser can have severe consequences, including defacement, data exfiltration, or installation of further malware. Organizations relying on ShortPixel Image Optimizer for image processing and optimization on WordPress sites are at risk, particularly if they allow multiple authors or editors to upload and manage media. The attack requires user interaction by the administrator, which may limit automated exploitation but does not eliminate risk. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks. Overall, the vulnerability poses a moderate risk to confidentiality and integrity within affected WordPress sites.

To mitigate CVE-2026-4335, organizations should immediately update the ShortPixel Image Optimizer plugin to a version where this vulnerability is patched once available. Until an official patch is released, administrators should restrict Author-level permissions to trusted users only and monitor for suspicious attachment titles containing unusual characters or scripts. Implementing Web Application Firewall (WAF) rules to detect and block suspicious payloads in REST API requests targeting attachment titles can reduce exploitation risk. Additionally, site administrators should avoid opening the ShortPixel AI editor popup for attachments uploaded by untrusted authors. Applying strict Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution contexts. Regularly auditing user roles and permissions to minimize the number of users with Author-level or higher access reduces the attack surface. Finally, developers maintaining WordPress plugins should ensure proper output escaping using esc_attr() or equivalent functions when rendering user-controlled data in HTML attributes to prevent similar XSS vulnerabilities.