Robin Image Optimizer <= 2.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Alternative Text Field

This research plan targets CVE-2026-1319, a Stored Cross-Site Scripting (XSS) vulnerability in the Robin Image Optimizer plugin for WordPress.

1. Vulnerability Summary

The Robin Image Optimizer plugin (<= 2.0.2) fails to sufficiently sanitize and escape the Alternative Text (alt text) field of images in the Media Library. While WordPress core provides some protections, the plugin likely hooks into image rendering or optimization logs to display this metadata. An authenticated user with Author privileges or higher can inject a malicious script into the Alt Text field. This script is stored in the database (usually as _wp_attachment_image_alt post meta) and executes when an administrative user views the plugin's optimization reports or when the plugin renders the image on the frontend (e.g., during WebP conversion or lazy loading).

2. Attack Vector Analysis

• Vulnerable Endpoint: wp-admin/admin-ajax.php (Standard WordPress media update) or the plugin's optimization dashboard.
• Action: save-attachment (Core WP) or a plugin-specific AJAX action if they provide a custom edit interface.
• Vulnerable Parameter: changes[alt_text__column] or alt (depending on the AJAX handler).
• Authentication: Required (Author level or higher). Authors can upload images and modify their metadata.
• Preconditions: Robin Image Optimizer must be active. The XSS typically triggers when the plugin processes the image or displays optimization logs.

3. Code Flow

1. Entry Point: An Author updates an image's "Alternative Text" via the Media Library.
2. Storage: The input is saved to the wp_postmeta table under the key _wp_attachment_image_alt.
3. Processing: The plugin (Robin Image Optimizer) retrieves this meta during optimization or when building its "Optimization Statistics" or "Image Comparison" views.
4. Sink: The plugin outputs the metadata without calling esc_attr() or esc_html().
   • Potential Sink 1: The plugin's comparison tool (likely admin/views/image-statistics.php or similar).
   • Potential Sink 2: Frontend rendering logic where the plugin replaces standard <img> tags with WebP/optimized versions (likely in includes/classes/class-rio-image-statistic.php or includes/classes/class-rio-attachment.php).

4. Nonce Acquisition Strategy

Since this exploit requires Author-level authentication to update Media, we must acquire the standard WordPress Media nonces.

1. Login: Log in as an Author.
2. Navigate: Use browser_navigate to go to the Media Library: /wp-admin/upload.php.
3. Extract Nonce: The save-attachment action requires a nonce typically found in the wp.media JavaScript object or localized variables.
   • Action: browser_eval("wp.media.model.settings.post.nonce") or inspecting the _wpnonce in the edit attachment modal.
4. Plugin Specifics: Check if Robin Image Optimizer localizes its own nonce for its dashboard.
   • Target Variable: window.wio_optimization?.nonce (inferred prefix for Robin Image Optimizer).

5. Exploitation Strategy

We will exploit this by updating an existing attachment's alternative text via the standard AJAX interface.

Step 1: Upload and Get ID

As an Author, upload a test image to get an attachment_id.

Step 2: Inject Payload

Send an AJAX request to update the Alt Text.

• Tool: http_request
• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Content-Type: application/x-www-form-urlencoded
• Body:

  action=save-attachment&id=[ATTACHMENT_ID]&_wpnonce=[NONCE]&changes[alt_text__column]=<img src=x onerror=alert("CVE-2026-1319")>
  

Step 3: Trigger Execution

The payload needs to be rendered. We will test two triggers:

1. Admin Dashboard: Navigate to the Robin Image Optimizer "Bulk Optimization" page: /wp-admin/admin.php?page=bulk_optimization-robin-image-optimizer. This page often lists images and their optimization status.
2. Frontend: Create a post containing the image and view it. Robin Image Optimizer will process the <img> tag and may output the unsanitized alt text in its optimized HTML.

6. Test Data Setup

1. User: Create a user with the Author role.
2. Image: Upload a standard .jpg or .png to the Media Library.
3. Post: Create a public post that includes this image.
4. Plugin Config: Ensure "WebP Conversion" or "Image Optimization" is enabled in Robin Image Optimizer settings to ensure the plugin's code path for image replacement is active.

7. Expected Results

• Storage: The _wp_attachment_image_alt meta for the image should contain the raw <img src=x onerror=...> string.
• Execution: When an Admin visits the plugin's "Optimization" page, the browser should execute the alert() call.
• Response: The admin-ajax.php request should return a JSON success message: {"success":true,"data":{...}}.

8. Verification Steps

1. Database Check: Use WP-CLI to verify the stored meta:

   wp post meta get [ATTACHMENT_ID] _wp_attachment_image_alt
   

2. DOM Inspection: Navigate to the optimization page via browser_navigate and check for the presence of the payload:

   browser_eval("document.body.innerHTML.includes('onerror=alert')")
   

9. Alternative Approaches

If the standard save-attachment action is sanitized by WordPress core before the plugin sees it (though this is unlikely given the CVE description), the plugin may have its own settings page for "Bulk Optimization" where it allows editing image metadata directly.

Alternative Payload:
If the attribute is rendered inside an existing alt="..." attribute:
" onmouseover="alert(1)" style="position:fixed;top:0;left:0;width:100%;height:100%;"
This would break out of the attribute and execute on mouse hover over the image.