The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied 's' parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. The endpoint validates requests using an HMAC signature and timestamp, but these values are exposed directly in the frontend HTML making them accessible to any visitor. The plugin uses sanitize_text_field() on the descriptor value of rest.php, which strips HTML tags but does not escape double quotes. The poisoned descriptor is then stored via transients (backed by the WordPress options table) and later retrieved and injected verbatim into the srcset attribute of tag_replacer.php without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.
The Optimole WordPress plugin versions up to 4.2.2 contain a Stored Cross-Site Scripting vulnerability in the REST API endpoint due to insufficient input sanitization of the srcset descriptor parameter. Attackers can inject malicious scripts that persist in the database and execute when the cached content is retrieved by other users.
تحتوي إضافة Optimole لتحسين الصور في WordPress على ثغرة Stored XSS في نقطة نهاية REST API غير المصرح بها. يمكن للمهاجمين حقن كود JavaScript ضار من خلال معامل وصف srcset الذي يتم تخزينه في قاعدة البيانات عبر transients. يتم تنفيذ الكود المحقون عند استرجاع المحتوى المخزن مؤقتاً من قبل المستخدمين الآخرين.
The Optimole WordPress image optimization plugin up to version 4.2.2 has a Stored XSS flaw in its REST API endpoint caused by weak input validation on the srcset descriptor. Malicious code injected through this parameter gets stored and executed when other users view the affected content.
Update Optimole plugin to version 4.2.3 or later immediately. Implement Web Application Firewall (WAF) rules to filter malicious srcset parameters. Review WordPress user roles and restrict REST API access to authenticated users only where possible. Monitor WordPress error logs for exploitation attempts.
قم بتحديث إضافة Optimole إلى الإصدار 4.2.3 أو أحدث فوراً. طبق قواعد جدار حماية تطبيقات الويب لتصفية معاملات srcset الضارة. راجع أدوار مستخدمي WordPress وقيد الوصول إلى REST API للمستخدمين المصرحين فقط. راقب سجلات أخطاء WordPress للكشف عن محاولات الاستغلال.