CVE-2026-4335

Name of the Vulnerable Software and Affected Versions ShortPixel Image Optimizer versions prior to 6.4.4

Description The ShortPixel Image Optimizer plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. The attachment's post title is retrieved from the database via get post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without proper escaping. This allows authenticated attackers with Author-level access and above to inject arbitrary web scripts that execute when a higher-privileged user opens the ShortPixel AI editor popup for the poisoned attachment. The vulnerability is triggered by crafting an attachment title that breaks out of the HTML attribute and injects JavaScript event handlers.

Recommendations Update ShortPixel Image Optimizer to version 6.4.4 or later.