CVE-2026-2712

Name of the Vulnerable Software and Affected Versions WP-Optimize plugin for WordPress versions up to and including 4.5.0

Description The WP-Optimize plugin for WordPress has a flaw that allows unauthorized access to functionality. This is due to missing capability checks in the receive heartbeat() function within the includes/class-wp-optimize-heartbeat.php file. The Heartbeat handler directly invokes Updraft Smush Manager Commands methods without proper verification of user capabilities, nonce tokens, or a command whitelist. This allows authenticated attackers with Subscriber-level access or higher to perform admin-only Smush operations, including reading log files via the /api/v1/smush/logs endpoint, deleting all backup images using the clean all backup images() function, triggering bulk image processing with the process bulk smush() function, and modifying Smush options through the update smush options() function.

Recommendations Update to a version of the WP-Optimize plugin later than 4.5.0.