Plattform
wordpress
Komponente
optimole-wp
Behoben in
4.2.3
CVE-2026-5217 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in the Optimole WordPress plugin. This vulnerability allows unauthenticated attackers to inject malicious scripts into the plugin, potentially leading to account compromise, data theft, or defacement of the website. The vulnerability affects versions 0.0.0 through 4.2.2 and has been resolved in version 4.2.3.
An attacker exploiting this XSS vulnerability can execute arbitrary JavaScript code in the context of a user's browser. This can lead to various malicious actions, including stealing session cookies, redirecting users to phishing sites, or injecting malicious content into the website. The vulnerability's impact is amplified by the exposed HMAC signature and timestamp, which bypasses some authentication checks. Successful exploitation could compromise user data and website integrity, potentially leading to significant reputational and financial damage.
This vulnerability was publicly disclosed on 2026-04-11. While no active exploitation campaigns have been definitively linked to CVE-2026-5217 at the time of writing, the ease of exploitation and the potential impact make it a likely target for opportunistic attackers. Public proof-of-concept exploits are expected to emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Websites utilizing the Optimole plugin, particularly those running older versions (0.0.0–4.2.2), are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others. Sites with less stringent security practices or those that haven't implemented regular security updates are particularly vulnerable.
• wordpress / composer / npm:
grep -r 'srcset descriptor' /var/www/html/wp-content/plugins/optimole/includes/rest-api/• wordpress / composer / npm:
wp plugin list --status=active | grep optimole• wordpress / composer / npm:
curl -I 'https://your-wordpress-site.com/wp-json/optimole/v1/optimizations?s=alert("XSS")'• generic web:
Inspect the HTML source code of pages using the Optimole plugin for suspicious JavaScript code injected via the 's' parameter in the /wp-json/optimole/v1/optimizations endpoint.
disclosure
Exploit-Status
EPSS
0.10% (28% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-5217 is to immediately upgrade the Optimole plugin to version 4.2.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /wp-json/optimole/v1/optimizations endpoint with suspicious parameters. Additionally, carefully review any recent changes to the plugin's configuration or code for potential injection points. After upgrading, verify the fix by attempting to inject a simple JavaScript payload through the vulnerable endpoint and confirming that it is properly sanitized.
Aktualisieren Sie auf Version 4.2.3 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-5217 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Optimole WordPress plugin, allowing attackers to inject malicious scripts.
You are affected if you are using Optimole versions 0.0.0 through 4.2.2. Upgrade to 4.2.3 or later to resolve the vulnerability.
Upgrade the Optimole plugin to version 4.2.3 or later. Consider implementing a WAF rule to block suspicious requests as an interim measure.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high likelihood of exploitation.
Refer to the Optimole website and WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.