CVE-2026-5217

Name of the Vulnerable Software and Affected Versions Optimole – Optimize Images plugin for WordPress versions through 4.2.2

Description The Optimole – Optimize Images plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is caused by inadequate input sanitization and output escaping of the s parameter (srcset descriptor) within the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. The endpoint employs HMAC signature and timestamp validation, but these values are exposed in the frontend HTML. The plugin utilizes sanitize text field() which strips HTML tags but does not escape double quotes, and the poisoned descriptor is stored in transients and injected into the srcset attribute without proper escaping.

Recommendations Update to a version beyond 4.2.2