{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2712", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-18T20:31:43.704Z", "datePublished": "2026-04-10T01:24:57.952Z", "dateUpdated": "2026-04-10T01:24:57.952Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-10T01:24:57.952Z"}, "affected": [{"vendor": "davidanderson", "product": "WP-Optimize \u2013 Cache, Compress images, Minify & Clean database to boost page speed & performance", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.5.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the `receive_heartbeat()` function in `includes/class-wp-optimize-heartbeat.php` in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly invoking `Updraft_Smush_Manager_Commands` methods without verifying user capabilities, nonce tokens, or the allowed commands whitelist that the normal AJAX handler (`updraft_smush_ajax`) enforces. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-only Smush operations including reading log files (`get_smush_logs`), deleting all backup images (`clean_all_backup_images`), triggering bulk image processing (`process_bulk_smush`), and modifying Smush options (`update_smush_options`)."}], "title": "WP-Optimize <= 4.5.0 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update and Image Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6a0a376e-ea3a-40ca-9341-f28f92e15e02?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.4.1/includes/class-wp-optimize-heartbeat.php#L65"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-wp-optimize-heartbeat.php#L65"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.4.1/includes/class-wp-optimize-heartbeat.php#L82"}, {"url": "https://research.cleantalk.org/cve-2026-2712/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-863 Incorrect Authorization", "cweId": "CWE-863", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2026-03-03T12:42:09.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-09T11:52:37.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the `receive_heartbeat()` function in `includes/class-wp-optimize-heartbeat.php` in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly invoking `Updraft_Smush_Manager_Commands` methods without verifying user capabilities, nonce tokens, or the allowed commands whitelist that the normal AJAX handler (`updraft_smush_ajax`) enforces. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-only Smush operations including reading log files (`get_smush_logs`), deleting all backup images (`clean_all_backup_images`), triggering bulk image processing (`process_bulk_smush`), and modifying Smush options (`update_smush_options`)."}], "id": "CVE-2026-2712", "lastModified": "2026-04-10T02:16:02.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-10T02:16:02.913", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.4.1/includes/class-wp-optimize-heartbeat.php#L65"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.4.1/includes/class-wp-optimize-heartbeat.php#L82"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-wp-optimize-heartbeat.php#L65"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2026-2712/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6a0a376e-ea3a-40ca-9341-f28f92e15e02?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.5.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP-Optimize \u2013 Cache, Compress images, Minify & Clean database to boost page speed & performance", "source": "cna", "vendor": "davidanderson"}, "product": "wp-optimize_\u2013_cache,_compress_images,_minify_&_clean_database_to_boost_page_speed_&_performance", "vendor": "davidanderson"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-10T02:50:47.492410+00:00", "value": {"mitigation_remediation": ["Upgrade WP\u2011Optimize to the latest release, which restores proper capability checks.", "If an upgrade is not immediately possible, disable the plugin\u2019s heartbeat integration or remove the receive_heartbeat hook to block the vulnerable endpoint.", "Restrict or remove the Subscriber role when it is not necessary, ensuring only administrators can perform smush operations.", "Monitor site logs for unexpected smush activity and verify media integrity after incidents."], "summary": {"action": "Apply Patch", "impact": "Unauthorized admin\u2011level operations via heartbeat endpoint"}, "threat_synthesis": {"affected_systems": "WordPress sites running the WP\u2011Optimize plugin version 4.5.0 or earlier, developed by David Anderson. Any installation with the plugin activated and where a Subscriber role is present is susceptible.", "description_and_impact": "The WP\u2011Optimize plugin contains a missing capability check in the receive_heartbeat() handler. This allows any authenticated user with a role of Subscriber or higher to invoke smush functions that normally require administrator privileges. Through accepted heartbeat requests, an attacker can read smush logs, delete all backup images, trigger bulk image processing, or modify smush options, potentially causing data loss or denial of service for the media library.", "risk_and_exploitability": "The CVSS score is 5.4, indicating medium severity. No EPSS data is available and the issue is not listed in the CISA KEV catalog. An attacker only needs an authenticated account with Subscriber or higher privileges to exploit the flaw; no additional conditions are required. The risk is that malicious users could alter site content or deplete server resources through excessive image processing. While the impact is bounded to the permissions of the authenticated user, the potential for media loss or service disruption makes timely remediation important."}}}}, "created": "2026-04-10T08:36:14.100317+00:00", "updated": "2026-04-10T09:27:13.573187+00:00", "vendors": ["davidanderson", "davidanderson$PRODUCT$wp-optimize_\u2013_cache,_compress_images,_minify_&_clean_database_to_boost_page_speed_&_performance", "wordpress", "wordpress$PRODUCT$wordpress"]}