CVE-2026-11784

June 18, 2026, 6:16 a.m.

4.3
Medium

Description

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replace_file function. This makes it possible for unauthenticated attackers to overwrite existing media attachments with attacker-supplied file content by supplying a forged multipart POST request targeting any attachment the victim has edit_post capability over via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The forged request requires a victim with at least Author-level privileges, as the handler enforces a current_user_can('edit_post', $id) check; tricking an Author-level or higher user into clicking a crafted link is sufficient to trigger the overwrite against attachments that user can edit.

Product(s) Impacted

Vendor Product Versions
Wordpress
  • Optimize Images Convert Webp And Avif Cdn And Lazy Load Image Optimization Plugin
  • <=4.2.6

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-352
Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a wordpress optimize_images_convert_webp_and_avif_cdn_and_lazy_load_image_optimization_plugin <=4.2.6 / / / / wordpress / /

References

https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.5/inc/media_rename/attachment_edit.php#L24
https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.5/inc/media_rename/attachment_edit.php#L331
https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.6/inc/media_rename/attachment_edit.php#L24
https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.6/inc/media_rename/attachment_edit.php#L331
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3574315%40optimole-wp&new=3574315%40optimole-wp&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/8a90de6e-6bd5-43b6-980d-84d25d4120ad?source=cve

Tags

[email protected]
CWE-352
2026-06-18
CVE-2026-11784

CVSS Score

4.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

    View Vector String

Timeline

Published: June 18, 2026, 6:16 a.m.
Last Modified: June 18, 2026, 6:16 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.