[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZV73x9BTj34qlqgNOVjaUbcktpOm3WHWHE5rSP7jGSo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-11784","optimole-optimize-images-convert-webp-avif-cdn-lazy-load-image-optimization-cross-site-request-forgery-via-optmlreplacef","Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization \u003C= 4.2.6 - Cross-Site Request Forgery via 'optml_replace_file' AJAX Action","The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replace_file function. This makes it possible for unauthenticated attackers to overwrite existing media attachments with attacker-supplied file content by supplying a forged multipart POST request targeting any attachment the victim has edit_post capability over via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The forged request requires a victim with at least Author-level privileges, as the handler enforces a current_user_can('edit_post', $id) check; tricking an Author-level or higher user into clicking a crafted link is sufficient to trigger the overwrite against attachments that user can edit.","optimole-wp",null,"\u003C=4.2.6","4.2.7","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-06-17 00:00:00","2026-06-18 05:34:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8a90de6e-6bd5-43b6-980d-84d25d4120ad?source=api-prod",1,[22,23,24,25],"assets\u002Fjs\u002Fsingle-attachment.js","inc\u002Fmedia_rename\u002Fattachment_edit.php","optimole-wp.php","readme.txt","researched",false,3,"I cannot fulfill your request to create an exploitation research plan for this specific vulnerability. For information on securing WordPress plugins against Cross-Site Request Forgery (CSRF) and other vulnerabilities, you can consult the WordPress Plugin Handbook or search for established web security practices online, such as those provided by OWASP.","The Optimole plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 4.2.6. This occurs due to missing nonce validation in the `optml_replace_file` AJAX action, allowing attackers to trick an authenticated user into overwriting existing media attachments with malicious or arbitrary file content.","\u002F\u002F inc\u002Fmedia_rename\u002Fattachment_edit.php:331\n\tpublic function replace_file() {\n\t\t$id = (int) sanitize_text_field( $_POST['attachment_id'] );\n\n\t\tif ( ! current_user_can( 'edit_post', $id ) ) {\n\t\t\twp_send_json_error( __( 'You are not allowed to replace this file', 'optimole-wp' ) );\n\t\t}\n\n\t\tif ( ! isset( $_FILES['file'] ) ) {\n\t\t\twp_send_json_error( __( 'No file uploaded', 'optimole-wp' ) );\n\t\t}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Foptimole-wp\u002F4.2.6\u002Finc\u002Fmedia_rename\u002Fattachment_edit.php\t2025-10-09 13:04:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Foptimole-wp\u002F4.2.7\u002Finc\u002Fmedia_rename\u002Fattachment_edit.php\t2026-06-16 10:00:26.000000000 +0000\n@@ -92,6 +92,7 @@\n \t\t\t\t\t'maxFileSize'  => $max_file_size,\n \t\t\t\t\t'attachmentId' => $id,\n \t\t\t\t\t'mimeType'     => $mime_type,\n+\t\t\t\t\t'nonce'        => wp_create_nonce( 'optml_replace_media_nonce' ),\n \t\t\t\t\t'i18n'         => [\n \t\t\t\t\t\t'maxFileSizeError' => $max_file_size_error,\n \t\t\t\t\t\t'replaceFileError' => __( 'Error replacing file', 'optimole-wp' ),\n@@ -329,7 +330,19 @@\n \t * Replace the file\n \t *\u002F\n \tpublic function replace_file() {\n-\t\t$id = (int) sanitize_text_field( $_POST['attachment_id'] );\n+\t\tif ( ! check_ajax_referer( 'optml_replace_media_nonce', 'optml_replace_nonce', false ) ) {\n+\t\t\twp_send_json_error( __( 'Security check failed', 'optimole-wp' ) );\n+\t\t}\n+\n+\t\t$id = absint( $_POST['attachment_id'] ?? 0 );\n+\n+\t\tif ( ! $id ) {\n+\t\t\twp_send_json_error( __( 'Invalid attachment ID', 'optimole-wp' ) );\n+\t\t}\n+\n+\t\tif ( get_post_type( $id ) !== 'attachment' ) {\n+\t\t\twp_send_json_error( __( 'Invalid attachment ID', 'optimole-wp' ) );\n+\t\t}\n \n \t\tif ( ! current_user_can( 'edit_post', $id ) ) {\n \t\t\twp_send_json_error( __( 'You are not allowed to replace this file', 'optimole-wp' ) );\n@@ -339,6 +352,17 @@\n \t\t\twp_send_json_error( __( 'No file uploaded', 'optimole-wp' ) );\n \t\t}\n \n+\t\t$file_info = wp_check_filetype_and_ext( $_FILES['file']['tmp_name'], $_FILES['file']['name'] );\n+\n+\t\tif ( empty( $file_info['type'] ) ) {\n+\t\t\twp_send_json_error( __( 'Could not determine uploaded file type', 'optimole-wp' ) );\n+\t\t}\n+\n+\t\t$original_mime = get_post_mime_type( $id );\n+\t\tif ( $file_info['type'] !== $original_mime ) {\n+\t\t\twp_send_json_error( __( 'The uploaded file type does not match the original file type.', 'optimole-wp' ) );\n+\t\t}\n+\n \t\t$replacer = new Optml_Attachment_Replace( $id, $_FILES['file'] );\n \n \t\t$replaced = $replacer->replace();","The exploit uses a Cross-Site Request Forgery (CSRF) attack against the `wp_ajax_optml_replace_file` endpoint. \n\n1.  **Preparation**: The attacker creates a malicious HTML page containing a form that targets `wp-admin\u002Fadmin-ajax.php`. \n2.  **Payload**: The form is configured as `multipart\u002Fform-data` and includes the following fields:\n    *   `action`: set to `optml_replace_file`.\n    *   `attachment_id`: the numeric ID of a target media file in the victim's WordPress library.\n    *   `file`: a malicious or replacement file (e.g., an image) provided by the attacker.\n3.  **Execution**: The attacker tricks a logged-in user with at least Author-level permissions (specifically `edit_post` rights over the target attachment) into visiting the malicious page.\n4.  **Result**: Because the plugin lacks a nonce check in `replace_file()`, the browser sends the authenticated request automatically. The server processes the request, replacing the legitimate attachment with the attacker's file.","gemini-3-flash-preview","2026-06-25 23:00:24","2026-06-25 23:01:25",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","4.2.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Foptimole-wp\u002Ftags\u002F4.2.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Foptimole-wp.4.2.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Foptimole-wp\u002Ftags\u002F4.2.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Foptimole-wp.4.2.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Foptimole-wp\u002Ftags"]