WP-Optimize Vulnerability Lets Low-Privilege Users Wreck Smush Features

/HIGH
SCW vulnerabilitycve
WP-Optimize Vulnerability Lets Low-Privilege Users Wreck Smush Features

CVE Notify is flagging a critical vulnerability in the popular WP-Optimize WordPress plugin. Versions up to and including 4.5.0 are susceptible to unauthorized function access due to a flaw in the receive_heartbeat() function. Essentially, this function bypasses crucial capability checks, nonces, and command whitelisting that the standard AJAX handler enforces.

This oversight means even authenticated users with basic Subscriber-level access can trigger admin-level operations within the Smush image optimization suite. CVE Notify highlights that attackers could exploit this to read sensitive log files, wipe out all backup images, initiate bulk image processing, or even mess with Smush settings. The vulnerability stems from the direct invocation of Updraft_Smush_Manager_Commands methods without proper authorization validation.

What This Means For You

  • Organizations using WP-Optimize must immediately update the plugin to a patched version and audit logs for any suspicious Smush-related activities, especially those initiated by low-privilege accounts, to detect potential exploitation.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1204.001 Malicious Link Initial Access T1071.001 Web Protocol Command and Control

Indicators of Compromise

IDTypeIndicator
CVE-2026-2712 Auth Bypass WP-Optimize plugin for WordPress versions up to and including 4.5.0. Vulnerable component: `includes/class-wp-optimize-heartbeat.php` in the `receive_heartbeat()` function. Missing capability checks allow authenticated attackers (Subscriber+) to invoke admin-only Smush operations.
CVE-2026-2712 Information Disclosure WP-Optimize plugin for WordPress versions up to and including 4.5.0. Allows authenticated attackers to read log files via the `get_smush_logs` operation.
CVE-2026-2712 Privilege Escalation WP-Optimize plugin for WordPress versions up to and including 4.5.0. Allows authenticated attackers to perform admin-only Smush operations like deleting backup images (`clean_all_backup_images`) and modifying options (`update_smush_options`).
CVE-2026-2712 Code Injection WP-Optimize plugin for WordPress versions up to and including 4.5.0. Vulnerable function `receive_heartbeat()` in `includes/class-wp-optimize-heartbeat.php` directly invokes `Updraft_Smush_Manager_Commands` methods without proper checks, enabling unauthorized execution of Smush operations.

By Shimi's Cyber World Editorial

Get the full picture on this threat Search by organization or CVE, get structured IOCs for your SIEM, and set watchlist alerts — delivered to your Telegram in seconds.
Try Intel Bot →