Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF <= 3.12.10 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload

Wordfence Intelligence > Vulnerability Database > Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF <= 3.12.10 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload

6.4

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVE	CVE-2024-4636
CVSS	6.4 (Medium)
Publicly Published	May 14, 2024
Last Updated	May 15, 2024
Researcher	wesley (wcraft)

Description

The Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘allow_meme_types’ function in versions up to, and including, 3.12.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Learn more about Cross-Site Scripting vulnerabilities and how to prevent them.

References

Vulnerability Details for Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization

Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization

Software Type	Plugin
Software Slug	optimole-wp (view on wordpress.org)
Patched?	Yes
Remediation	Update to version 3.13.0, or a newer patched version
Affected Version	<= 3.12.10
Patched Version	3.13.0

Recent vulnerabilities in Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization

Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization <= 4.2.6 - Cross-Site Request Forgery via 'optml_replace_file' AJAX Action

4.3

CVE-2026-11784

Jun 17, 2026

Researcher: Alexandru Bucur

Optimole <= 4.2.2 - Unauthenticated Stored Cross-Site Scripting via Srcset Descriptor Parameter

7.2

CVE-2026-5217

Apr 10, 2026

Researcher: Quốc Huy (jtwings)

Optimole <= 4.2.3 - Reflected Cross-Site Scripting via Page Profiler URL

6.1

CVE-2026-5226

Apr 10, 2026

Researchers: Ali Cem Havare, Sencer Kılıç, Cesi De Taranto

Image optimization service by Optimole <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Author+) Media Offload

4.3

CVE-2025-11519

Oct 17, 2025

Researcher: Dmitrii Ignatyev

ThemeIsle SDK <= Various Versions - Missing Authorization

5.3

CVE-2024-1047

Feb 1, 2024

Researcher: Francesco Carlucci

Image optimization & Lazy Load <= 3.3.1 - Admin+ Stored Cross-Site Scripting

4.8

CVE-2022-0969

Mar 21, 2022

Researcher: Kévin Mosbahi (Mika)

#	Title	CVE ID	CVSS	Researchers	Date
1	Optimole – Optimize Images \| Convert WebP & AVIF \| CDN & Lazy Load \| Image Optimization <= 4.2.6 - Cross-Site Request Forgery via 'optml_replace_file' AJAX Action	CVE-2026-11784	4.3	Alexandru Bucur	June 17, 2026
2	Optimole <= 4.2.2 - Unauthenticated Stored Cross-Site Scripting via Srcset Descriptor Parameter	CVE-2026-5217	7.2	Quốc Huy (jtwings)	April 10, 2026
3	Optimole <= 4.2.3 - Reflected Cross-Site Scripting via Page Profiler URL	CVE-2026-5226	6.1	Ali Cem Havare, Sencer Kılıç, Cesi De Taranto	April 10, 2026
4	Image optimization service by Optimole <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Author+) Media Offload	CVE-2025-11519	4.3	Dmitrii Ignatyev	October 17, 2025
5	ThemeIsle SDK <= Various Versions - Missing Authorization	CVE-2024-1047	5.3	Francesco Carlucci	February 1, 2024
6	Image optimization & Lazy Load <= 3.3.1 - Admin+ Stored Cross-Site Scripting	CVE-2022-0969	4.8	Kévin Mosbahi (Mika)	March 21, 2022

View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation