Phạm Ngọc Khánh

**Name of the Vulnerable Software and Affected Versions** Image Optimizer by 10web WordPress plugin version 1.0.26 and earlier **Description** The issue is related to the Image Optimizer by 10web WordPress plugin, which does not properly sanitise and escape the `iowd tabs active` parameter before rendering it in the plugin admin panel. This leads to a reflected Cross-Site Scripting issue, allowing an attacker to trick a logged-in admin into executing arbitrary JavaScript by clicking a link. The vulnerability can be exploited by a remote attacker to conduct cross-site scripting attacks. **Recommendations** For versions prior to 1.0.27, update to version 1.0.27 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin admin panel to minimize the risk of exploitation. Avoid using the `iowd tabs active` parameter in the affected plugin admin panel until the issue is resolved.