CVE-2026-1246
📋 TL;DR
The ShortPixel Image Optimizer WordPress plugin contains a path traversal vulnerability that allows authenticated attackers with Editor-level permissions or higher to read arbitrary files on the server. This can expose sensitive information including database credentials and authentication keys. The vulnerability affects all versions up to and including 6.4.2.
💻 Affected Systems
- ShortPixel Image Optimizer WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to sensitive files like wp-config.php containing database credentials, leading to complete site compromise and potential data exfiltration.
Likely Case
Attackers with editor access read configuration files to obtain database credentials or other sensitive information for further attacks.
If Mitigated
With proper access controls and file permissions, impact is limited to files readable by the web server user.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via crafted AJAX requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.3
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find ShortPixel Image Optimizer. 4. Click 'Update Now' if available. 5. Alternatively, download version 6.4.3+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the vulnerable loadLogFile AJAX action
Add to theme's functions.php: remove_action('wp_ajax_shortpixel_loadLogFile', array('ShortPixel\Controller\AjaxController', 'loadLogFile'));
Restrict user roles
allLimit Editor and higher role assignments to trusted users only
🧯 If You Can't Patch
- Deactivate the ShortPixel Image Optimizer plugin immediately
- Implement strict file permissions (e.g., 600 for sensitive files) and web application firewall rules to block path traversal attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > ShortPixel Image Optimizer. If version is 6.4.2 or lower, you are vulnerable.Check Version:
wp plugin list --name=shortpixel-image-optimiser --field=versionVerify Fix Applied:
After updating, verify plugin version shows 6.4.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=shortpixel_loadLogFile containing ../ sequences
- Unusual file access patterns from web server user
Network Indicators:
- HTTP requests with loadFile parameter containing path traversal sequences (../, ..\)
SIEM Query:
source="web_access_logs" AND uri="/wp-admin/admin-ajax.php" AND post_data="*shortpixel_loadLogFile*" AND (post_data="*../*" OR post_data="*..\\*")🔗 References
- https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/AjaxController.php#L1686
- https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/AjaxController.php#L309
- https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/BulkController.php#L200
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3449706%40shortpixel-image-optimiser&new=3449706%40shortpixel-image-optimiser&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/03cb41d2-67c8-457f-8d85-7aede8e12d44?source=cve
