Security Alert Summary
The ShortPixel Image Optimizer plugin for WordPress contains a path traversal vulnerability in an AJAX action that allows authenticated users with Editor-level access and above to read arbitrary files on the server via the loadFile parameter. Sensitive information such as database credentials and authentication keys may be exposed. Site owners should assess exposure and apply any available updates or mitigations.
CVE Details
- CVE ID: CVE-2026-1246
- Affected component: ShortPixel Image Optimizer plugin for WordPress
- Affected versions: All versions up to, and including, 6.4.2. (Fixed version not specified in the CVE entry.)
- Published: February 5, 2026 at 7:16:17 AM UTC
- Last modified: February 5, 2026 at 2:57:20 PM UTC
- CVSS v3.1: Base Score 4.9 — MEDIUM
- Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High (authenticated user with elevated privileges)
- User Interaction: None
- Scope: Unchanged
- Impact: Confidentiality: High; Integrity: None; Availability: None
- Authentication / Privileges Required: Authenticated user with Editor-level access or higher (as stated in the CVE description and reflected by PR:H in CVSS).
- Primary impact: Disclosure of sensitive server-side files (confidentiality impact)
- CWE / Weakness ID: CWE-22 (Path Traversal)
Technical Details
This vulnerability is a path traversal flaw in the plugin’s AJAX handling. Specifically, insufficient path validation and sanitization in the loadLogFile AJAX action allows an authenticated user to control the loadFile parameter in a way that accesses files outside the intended directory. Because the plugin does not properly normalize or restrict the requested path, traversal sequences can lead to reading arbitrary files on the server.
The practical effect is an arbitrary file read: an attacker with the required privileges can request files that may contain sensitive data (for example, database configuration files or authentication keys). The CVE description and CVSS data indicate confidentiality impact is high while integrity and availability are not impacted.
How This Could Impact Your Website
Consider a small team managing a WordPress site: the site owner, an internal content editor, and an external contractor who helps with images. If an editor or contractor account is compromised or misused, that account could be used to invoke the vulnerable AJAX action and read files from the server. Exposed files could include configuration files with database credentials or secret keys, which increases the risk of data leakage and targeted attacks such as credential theft or tailored phishing.
Even if the attacker cannot modify site content directly via this issue, access to secrets can enable further attacks or lateral movement. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
- Review and reduce unnecessary user roles and privileges, especially accounts with Editor-level access or higher.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, especially file-access patterns or unexpected AJAX requests.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/AjaxController.php#L1686
- https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/AjaxController.php#L309
- https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/BulkController.php#L200
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3449706%40shortpixel-image-optimiser&new=3449706%40shortpixel-image-optimiser&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/03cb41d2-67c8-457f-8d85-7aede8e12d44?source=cve