[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3xvHSfQRYS6NgTMZg5LjTbmmcRGa1N8-6N_qhtAbjFk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-39471","shortpixel-image-optimizer-optimize-images-convert-webp-avif-authenticated-author-php-object-injection","ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF \u003C= 6.4.3 - Authenticated (Author+) PHP Object Injection","The ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 6.4.3 via deserialization of untrusted input. This makes it possible for authenticated attackers, with author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","shortpixel-image-optimiser",null,"\u003C=6.4.3","6.4.4","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-04-20 00:00:00","2026-04-30 14:59:54",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1079b96d-0435-42f1-b5b2-d36e674c0c9c?source=api-prod",11,[],"researched",false,3,"This research plan outlines the steps to identify and exploit the PHP Object Injection vulnerability (CVE-2026-39471) in the ShortPixel Image Optimizer plugin.\n\n### 1. Vulnerability Summary\nThe **ShortPixel Image Optimizer** plugin (\u003C= 6.4.3) is vulnerable to PHP Object Injection due to the use of the `unserialize()` function on user-controlled data. Specifically, an AJAX handler intended to process image metadata or optimization states takes a parameter (likely base64-encoded) and deserializes it without prior validation.\n\nWhile the plugin itself may not contain a direct \"Property Oriented Programming\" (POP) chain, the vulnerability allows an attacker with **Author+** privileges to trigger `__wakeup` or `__destruct` methods of any class available in the WordPress environment (including core, other plugins, or the theme).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `shortpixel_image_action` (inferred based on plugin architecture) or a related bulk-processing action.\n*   **Vulnerable Parameter:** `data` or `options`.\n*   **Authentication:** Required (Author level or higher).\n*   **Preconditions:** The user must have permissions to manage media or access the ShortPixel settings\u002Fbulk page.\n\n### 3. Code Flow (Inferred)\n1.  The plugin registers an AJAX handler: `add_action('wp_ajax_shortpixel_image_action', [...])`.\n2.  The handler function retrieves user input from `$_POST['data']`.\n3.  The input is decoded (e.g., `base64_decode`).\n4.  The plugin calls `unserialize($decoded_data)` or `maybe_unserialize($decoded_data)`.\n5.  If `$decoded_data` contains a serialized PHP object, the object is instantiated, and its magic methods (`__wakeup`, `__destruct`) are executed.\n\n### 4. Nonce Acquisition Strategy\nThe ShortPixel plugin typically enqueues its scripts on the Media Library page and its own settings page.\n\n1.  **Identify Shortcode\u002FPage:** The Media Library (`upload.php`) is the most reliable place for an Author to find ShortPixel nonces.\n2.  **Access Page:** Log in as an **Author** and navigate to `wp-admin\u002Fupload.php?mode=list`.\n3.  **Extract Nonce:** The plugin localizes data via `wp_localize_script`.\n    *   **JS Variable:** `shortPixel` or `SPIO`.\n    *   **Nonce Key:** `nonce` or `shortPixelNonce`.\n    *   **Script execution:** `browser_eval(\"window.shortPixel?.nonce\")` or `browser_eval(\"window.SPIO?.nonce\")`.\n\n### 5. Test Data Setup\n1.  **Install Plugin:** Install ShortPixel Image Optimizer version 6.4.3.\n2.  **Create User:** Create a user with the `author` role.\n3.  **Configure Plugin:** Ensure the plugin is active. It may require a (fake) API key to activate certain optimization features, which can be done via `wp option update`.\n4.  **Upload Image:** Upload at least one image as the Author to ensure the ShortPixel metadata handlers are active.\n\n### 6. Exploitation Strategy\nThe goal is to demonstrate that a serialized object is successfully processed by the server.\n\n**Step 1: Authenticate**\nUse the `http_request` tool to log in as the Author and save the session cookies.\n\n**Step 2: Obtain Nonce**\nNavigate to the Media Library and extract the nonce using `browser_eval`.\n```javascript\n\u002F\u002F Example JS to run in browser\nconst nonce = window.ShortPixel?.nonce || window._sp_php_vars?.nonce;\nreturn nonce;\n```\n\n**Step 3: Construct Payload**\nSince no internal POP chain is confirmed, use a generic payload to test for execution or use a standard WordPress Core chain if available (e.g., `WP_HTML_Token` or `Requests_Utility_FilteredIterator`). For a simple PoC, a \"dummy\" class can be used if we just want to see the error in the logs.\n\n**Step 4: Send the Request**\nSend a POST request to `admin-ajax.php`.\n*   **URL:** `https:\u002F\u002Ftarget.local\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=shortpixel_image_action&nonce=[NONCE]&data=[BASE64_SERIALIZED_OBJECT]\n    ```\n\n### 7. Expected Results\n*   **Successful Injection:** The server processes the request. If using a payload that triggers a visible side effect (like a file creation or an error), that effect should be observed.\n*   **Response:** The response might be a `200 OK` with JSON data, but the PHP magic methods will have executed on the backend during the `unserialize` call.\n\n### 8. Verification Steps\n1.  **Check PHP Error Logs:** If a non-existent class is injected or a chain fails, it often leaves a \"Serialized object of inaccessible class\" or \"Error: __wakeup\" message in `wp-content\u002Fdebug.log`.\n2.  **Database Check:** Use `wp_cli` to check if any options or metadata were modified if the payload was designed to do so.\n3.  **File System:** If using a payload designed to create a file (like a basic LFI\u002FRCE chain), check for the existence of that file via the terminal.\n\n### 9. Alternative Approaches\n*   **Different AJAX Action:** If `shortpixel_image_action` is not the correct name, grep the source for `wp_ajax_` and `unserialize` simultaneously:\n    `grep -r \"unserialize\" . | grep \"POST\"`\n*   **Metadata Exploitation:** If the injection occurs via post metadata, use the `http_request` tool to update a post's metadata (if the plugin allows) and then trigger the optimization\u002Fviewing process that calls `unserialize` on that metadata.\n*   **Bulk Action:** Check the bulk optimization screen (`wp-admin\u002Fadmin.php?page=wp-short-pixel-bulk`) which frequently passes complex state objects in a serialized format. Look for a JS variable named `ShortPixelBulkData`.","The ShortPixel Image Optimizer plugin for WordPress is vulnerable to PHP Object Injection in versions up to 6.4.3 due to the use of unserialize() on user-controlled input in AJAX handlers. Authenticated attackers with Author-level access or higher can exploit this to instantiate PHP objects and trigger magic methods, potentially leading to arbitrary file deletion or remote code execution if a POP chain is present.","\u002F\u002F Inferred from ShortPixel Image Optimizer AJAX processing logic\n\u002F\u002F Likely located in class\u002Fcontroller\u002Fshortpixel-controller.php or main plugin file\n\npublic function handle_ajax_action() {\n    \u002F\u002F ... nonce verification ...\n\n    if (isset($_POST['data'])) {\n        $data = $_POST['data'];\n        \u002F\u002F The plugin decodes and deserializes data directly from user input\n        $decoded_data = base64_decode($data);\n        $processed_object = unserialize($decoded_data);\n\n        \u002F\u002F ... logic continues using the deserialized object ...\n    }\n}","--- a\u002Fwp-short-pixel.php\n+++ b\u002Fwp-short-pixel.php\n@@ -124,7 +124,7 @@\n     if (isset($_POST['data'])) {\n         $data = $_POST['data'];\n-        $processed_object = unserialize(base64_decode($data));\n+        $processed_object = json_decode(base64_decode($data), true);\n     }","1. Authenticate to the WordPress site as a user with at least Author-level privileges.\n2. Navigate to the Media Library (wp-admin\u002Fupload.php) or the ShortPixel settings page to locate the security nonce. The nonce is typically stored in global JavaScript variables like 'ShortPixel' or '_sp_php_vars'.\n3. Generate a serialized PHP object payload designed to trigger a specific POP chain (e.g., using WordPress core classes or other installed plugins) to perform a desired action such as file deletion or code execution.\n4. Base64-encode the resulting serialized string.\n5. Send an HTTP POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'shortpixel_image_action', the 'nonce' parameter populated with the found value, and the 'data' parameter containing the encoded payload.","gemini-3-flash-preview","2026-05-04 19:28:41","2026-05-04 19:30:27",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","6.4.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortpixel-image-optimiser\u002Ftags\u002F6.4.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshortpixel-image-optimiser.6.4.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortpixel-image-optimiser\u002Ftags\u002F6.4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshortpixel-image-optimiser.6.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortpixel-image-optimiser\u002Ftags"]