Optimole Plugin for WordPress Allows Attackers to Execute Malicious Code

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.1

Optimole Plugin for WordPress Allows Attackers to Execute Malicious Code

CVE-2026-5226

Summary

The Optimole plugin for WordPress, used to optimize images, has a security flaw that could allow attackers to execute malicious code on your website. If a user clicks on a link that contains malicious code, it could harm your site or steal sensitive information. Update to the latest version of the plugin to protect your site.

Original title

Original description

The Optimole – Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get_current_url() function, which are inserted into JavaScript code via str_replace() without proper JavaScript context escaping in the replace_content() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

nvd CVSS3.1 6.1

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

Published: 11 Apr 2026 · Updated: 11 Apr 2026 · First seen: 11 Apr 2026