Platform
wordpress
Component
optimole-wp
Fixed in
4.2.3
CVE-2026-5217 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in the Optimole WordPress plugin. This vulnerability allows unauthenticated attackers to inject malicious scripts into the plugin, potentially leading to account compromise, data theft, or defacement of the website. The vulnerability affects versions 0.0.0 through 4.2.2 and has been resolved in version 4.2.3.
The XSS vulnerability in Optimole arises from insufficient input sanitization and output escaping within the /wp-json/optimole/v1/optimizations REST endpoint. Specifically, the 's' parameter (srcset descriptor) is vulnerable. An attacker can craft a malicious request containing JavaScript code within this parameter. Because the plugin uses an HMAC signature and timestamp for request validation, but these values are exposed directly in the frontend HTML, any visitor can potentially exploit this vulnerability. Successful exploitation allows an attacker to execute arbitrary JavaScript code in the context of the user's browser, potentially stealing session cookies, redirecting users to malicious websites, or modifying the website's content.
CVE-2026-5217 was publicly disclosed on 2026-04-11. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's simplicity suggests a high likelihood of POC development. It is not currently listed on the CISA KEV catalog. The exposed HMAC signature and timestamp make exploitation relatively straightforward, increasing the risk of opportunistic attacks.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5217 is to immediately upgrade the Optimole plugin to version 4.2.3 or later. This version includes the necessary fixes to properly sanitize and escape user-supplied input, preventing the XSS vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /wp-json/optimole/v1/optimizations endpoint with suspicious parameters. Additionally, review and restrict access to the endpoint if possible. Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin.
Update to version 4.2.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5217 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Optimole WordPress plugin, allowing attackers to inject malicious scripts.
You are affected if you are using Optimole versions 0.0.0 through 4.2.2. Upgrade to 4.2.3 or later to resolve the vulnerability.
Upgrade the Optimole plugin to version 4.2.3 or later. Consider implementing a WAF rule to block suspicious requests as an interim measure.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high likelihood of exploitation.
Refer to the Optimole website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.