Security Alert Summary
The Robin Image Optimizer – Unlimited Image Optimization & WebP Converter WordPress plugin contains a stored Cross-Site Scripting (XSS) vulnerability in the Media Library Alternative Text field. Authenticated users with Author-level access or higher can inject script into an image’s alternative text that will execute when an injected page is viewed, due to insufficient input sanitization and output escaping.
CVE Details
- CVE ID: CVE-2026-1319
- Affected plugin / component: Robin Image Optimizer – Unlimited Image Optimization & WebP Converter (Media Library
Alternative Textfield) - Affected versions: All versions up to, and including, 2.0.2
- Published: February 5, 2026 at 9:15 AM UTC
- Last modified: February 5, 2026 at 2:57 PM UTC
- CVSS v3.1: Base Score 6.4 — MEDIUM
- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: LOW (authenticated user with Author-level access or higher)
- User Interaction: NONE
- Scope: CHANGED
- Confidentiality Impact: LOW
- Integrity Impact: LOW
- Availability Impact: NONE
- Authentication / Authorization: Requires an authenticated account with Author-level privileges or higher (as described in the CVE entry).
- CWE / weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation)
Technical Details
This vulnerability is a stored Cross-Site Scripting (XSS) issue that arises because the plugin does not sufficiently sanitize or escape content provided in the Media Library Alternative Text field. When an authenticated user with the required privileges saves a crafted value in that field, the plugin stores the input and later outputs it into pages without adequate output escaping, allowing injected JavaScript to run in the context of any page that renders the affected image’s alternative text.
The description indicates the root cause is insufficient input sanitization and output escaping for the Alternative Text field. The vulnerability allows arbitrary script execution in the browser of anyone who views a page containing the injected image data. The CVSS vector indicates no user interaction is required once the payload is stored, and that the issue can be triggered over the network by an authenticated user with low privileges.
How This Could Impact Your Website
Consider a multi-user site where the site owner manages overall settings, internal staff (editors) publish content, and external contributors or contractors upload media. An Author-level user or higher who is able to edit media could add a malicious payload to an image’s alternative text. When other users — including administrators, editors, or site visitors whose browsers render that content — access a page containing the injected image, the script can execute in their browsers.
Practical consequences include limited disclosure or modification of data accessible via the user’s browser (for example, exposure of session information or content visible on the page) and an increased risk of targeted phishing or social engineering using content that appears to come from within the site. Exposure of internal user email addresses or user-visible profile data is a realistic outcome depending on what the executed script accesses on the page.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
- Review and reduce unnecessary user roles, especially users with Contributor/Author-level access.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce attack surface.
- Monitor site activity and logs for unusual behavior, including unexpected changes to media metadata or repeated media uploads from the same account.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.