The Optimole WordPress plugin suffers from a stored cross-site scripting vulnerability due to improper neutralization of input in the 's' parameter of the /wp-json/optimole/v1/optimizations REST endpoint. The endpoint validates requests with an HMAC signature and timestamp, but these are exposed in frontend HTML, making the endpoint effectively unauthenticated. The plugin uses sanitize_text_field() which strips HTML tags but does not escape double quotes, allowing crafted input to be stored via transients and later injected verbatim into the srcset attribute in tag_replacer.php. This enables unauthenticated attackers to inject and execute arbitrary scripts in the context of any user visiting the affected pages.

An attacker can inject malicious scripts that execute in the browsers of users visiting pages where the injected payload is rendered. This can lead to theft of sensitive information, session hijacking, or other malicious actions within the context of the vulnerable website. The vulnerability does not require authentication and has a network attack vector with low complexity, making exploitation feasible. The CVSS score of 7.2 reflects a high severity impact on confidentiality and integrity without affecting availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider disabling or removing the Optimole plugin to prevent exploitation. Monitor vendor channels for updates and apply patches promptly once available. Avoid relying on the HMAC signature and timestamp validation as these are exposed and do not prevent exploitation in this case.