[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4H7N-c47F7E1LkwXOxfj20Gv3cBafhFF2q1kWwE7Eiw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1246","shortpixel-image-optimizer-authenticated-editor-arbitrary-file-read-via-loadfile-parameter","ShortPixel Image Optimizer \u003C= 6.4.2 - Authenticated (Editor+) Arbitrary File Read via 'loadFile' Parameter","The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the 'loadFile' parameter in all versions up to, and including, 6.4.2 due to insufficient path validation and sanitization in the 'loadLogFile' AJAX action. This makes it possible for authenticated attackers, with Editor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys.","shortpixel-image-optimiser",null,"\u003C=6.4.2","6.4.3","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-02-04 18:35:26","2026-02-05 06:47:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F03cb41d2-67c8-457f-8d85-7aede8e12d44?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-1246 - ShortPixel Image Optimizer Path Traversal\n\n## 1. Vulnerability Summary\nThe **ShortPixel Image Optimizer** plugin (up to version 6.4.2) contains an arbitrary file read vulnerability. The issue exists in the AJAX handler for the `loadLogFile` action. The plugin fails to validate or sanitize the `loadFile` parameter, which is used to specify a file path for reading log contents. An authenticated user with **Editor** privileges or higher can use path traversal sequences (e.g., `..\u002F..\u002F`) to read sensitive files outside of the intended directory, such as `wp-config.php`.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `shortpixel_load_log` (inferred) or `shortpixel_load_log_file` (inferred)\n*   **Vulnerable Parameter:** `loadFile`\n*   **Authentication:** Required (Editor role or higher)\n*   **HTTP Method:** POST\n*   **Payload Type:** Path traversal string (e.g., `..\u002F..\u002F..\u002F..\u002Fwp-config.php`)\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an AJAX action for authenticated users via `add_action('wp_ajax_shortpixel_load_log', ...)`.\n2.  **Handler Function:** The registered callback (likely `loadLogFile` or similar in a controller class) is invoked.\n3.  **Parameter Extraction:** The code retrieves the file path from `$_POST['loadFile']`.\n4.  **Insecure Operation:** The code passes this unsanitized path directly into a file-reading function like `file_get_contents()` or `readfile()`.\n5.  **Sink:** The contents of the file are echoed back to the user in the AJAX response.\n6.  **Missing Check:** There is no check to ensure the path resides within the plugin's log directory or that traversal characters are removed.\n\n## 4. Nonce Acquisition Strategy\nThe AJAX request will require a WordPress nonce for authorization. ShortPixel typically localizes its settings and nonces into a JavaScript object.\n\n1.  **Identify Trigger Page:** The log loading functionality is usually found on the ShortPixel settings page: `\u002Fwp-admin\u002Foptions-general.php?page=wp-shortpixel-settings`.\n2.  **Access Page:** Log in as an Editor and navigate to the settings page.\n3.  **Extract Nonce:** Use `browser_eval` to find the nonce in the localized JS object.\n    *   **Inferred JS Object:** `ShortPixelData` or `spio_data`.\n    *   **Inferred Nonce Key:** `nonce`, `_wpnonce`, or `shortpixel_nonce`.\n    *   **Command:** `browser_eval(\"window.ShortPixelData?.nonce\")` or `browser_eval(\"window.spio_vars?.nonce\")`.\n4.  **Manual Fallback:** If the JS object is unknown, search the page source for \"nonce\" within `\u003Cscript>` tags related to ShortPixel.\n\n## 5. Exploitation Strategy\n### Step 1: Create an Editor User\nUse WP-CLI to create a user with the Editor role to simulate the required privilege level.\n```bash\nwp user create attacker attacker@example.com --role=editor --user_pass=password123\n```\n\n### Step 2: Obtain Authentication Cookies\nUse the `http_request` or `browser_navigate` tool to log in as the `attacker` user and capture the session cookies.\n\n### Step 3: Extract Nonce\nNavigate to the ShortPixel settings page and extract the nonce using `browser_eval`.\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Foptions-general.php?page=wp-shortpixel-settings`\n*   **JS Check:** `browser_eval(\"window.ShortPixelData\")`\n\n### Step 4: Execute Path Traversal\nSend a POST request to `admin-ajax.php` with the traversal payload.\n\n*   **Request URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: `shortpixel_load_log` (inferred - confirm via `grep -r \"wp_ajax_shortpixel\"`)\n    *   `nonce`: `[EXTRACTED_NONCE]`\n    *   `loadFile`: `..\u002F..\u002F..\u002F..\u002Fwp-config.php`\n\n## 6. Test Data Setup\n1.  **Plugin State:** Ensure `shortpixel-image-optimiser` version \u003C= 6.4.2 is installed and activated.\n2.  **Configuration:** The plugin may need to be \"initialized\" (API key added) to access the settings page, though the AJAX endpoint often exists regardless.\n3.  **Target File:** Ensure `wp-config.php` exists in the standard WordPress root.\n\n## 7. Expected Results\n*   **Successful Exploit:** The HTTP response body contains the raw PHP source code of `wp-config.php`, including `DB_NAME`, `DB_USER`, `DB_PASSWORD`, and authentication salts.\n*   **Response Code:** `200 OK`.\n*   **Content Type:** Likely `text\u002Fplain` or `text\u002Fhtml`.\n\n## 8. Verification Steps\n1.  **Check Response Body:** Look for the string `define( 'DB_NAME'` in the response from the `http_request` tool.\n2.  **Compare Content:** Run `cat \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-config.php` via terminal and compare the output to the AJAX response to confirm full file disclosure.\n\n## 9. Alternative Approaches\n*   **Payload Variations:**\n    *   If `..\u002F..\u002F..\u002F..\u002Fwp-config.php` fails, try absolute paths: `\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-config.php`.\n    *   Try different file targets: `\u002Fetc\u002Fpasswd` or `wp-includes\u002Fversion.php`.\n*   **Action Name Discovery:**\n    If `shortpixel_load_log` is incorrect, run this command in the plugin directory:\n    ```bash\n    grep -r \"wp_ajax_\" .\n    ```\n    Search specifically for handlers that contain \"log\" or \"file\".\n*   **Parameter Name Discovery:**\n    If `loadFile` is incorrect, search the handler function body for `$_POST` or `$_REQUEST` keys:\n    ```bash\n    grep -r \"\\$_POST\" . | grep \"log\"\n    ```","The ShortPixel Image Optimizer plugin for WordPress (v6.4.2 and below) fails to properly sanitize the 'loadFile' parameter within its log-loading AJAX handler. This allows authenticated users with Editor-level privileges or higher to perform path traversal attacks and read arbitrary files on the server, such as wp-config.php.","\u002F\u002F Inferred from vulnerability description and research plan\n\u002F\u002F File path likely: wp-content\u002Fplugins\u002Fshortpixel-image-optimiser\u002Fclass\u002FController\u002FLogController.php\n\npublic function loadLogFile() {\n    \u002F\u002F Nonce check usually precedes the vulnerability\n    check_ajax_referer('shortpixel_nonce', 'nonce');\n\n    $file = $_POST['loadFile']; \u002F\u002F Vulnerable: No sanitization or path validation\n\n    if (file_exists($file)) {\n        echo file_get_contents($file); \u002F\u002F Sink: Reads and returns the contents of the unsanitized path\n    }\n    die();\n}","--- a\u002Fclass\u002FController\u002FLogController.php\n+++ b\u002Fclass\u002FController\u002FLogController.php\n@@ -10,7 +10,8 @@\n     public function loadLogFile() {\n         check_ajax_referer('shortpixel_nonce', 'nonce');\n-        $file = $_POST['loadFile'];\n+        $file = basename(sanitize_text_field($_POST['loadFile']));\n+        $file = SHORTPIXEL_LOGS_PATH . '\u002F' . $file;\n         if (file_exists($file)) {\n             echo file_get_contents($file);\n         }","To exploit this vulnerability, an attacker must have Editor-level authentication or higher. \n\n1. Access the WordPress admin panel as an Editor.\n2. Navigate to the ShortPixel settings page or inspect the page source to retrieve the 'shortpixel_nonce' from the localized JavaScript objects (e.g., ShortPixelData or spio_vars).\n3. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the following parameters:\n   - action: shortpixel_load_log (or the specific log-loading action registered by the plugin)\n   - nonce: [The extracted nonce value]\n   - loadFile: ..\u002F..\u002F..\u002F..\u002Fwp-config.php\n4. The server will process the path traversal sequence and return the raw PHP contents of wp-config.php in the response body, disclosing database credentials and security keys.","gemini-3-flash-preview","2026-04-27 15:22:57","2026-04-27 15:24:42",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","6.4.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortpixel-image-optimiser\u002Ftags\u002F6.4.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshortpixel-image-optimiser.6.4.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortpixel-image-optimiser\u002Ftags\u002F6.4.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshortpixel-image-optimiser.6.4.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortpixel-image-optimiser\u002Ftags"]