CVE-2026-1246 in Image Optimizer Plugin
Summary
by MITRE • 02/05/2026
The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the 'loadFile' parameter in all versions up to, and including, 6.4.2 due to insufficient path validation and sanitization in the 'loadLogFile' AJAX action. This makes it possible for authenticated attackers, with Editor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/05/2026
The ShortPixel Image Optimizer plugin for WordPress represents a widely used tool for image optimization and compression, yet it harbors a critical vulnerability that exposes systems to unauthorized file access. This vulnerability exists within the plugin's handling of file operations through its AJAX interface, specifically in the loadLogFile action which processes the 'loadFile' parameter. The flaw stems from inadequate input validation and sanitization mechanisms that fail to properly restrict file paths, creating an opportunity for path traversal attacks that can be exploited by authenticated users with Editor-level privileges or higher.
The technical implementation of this vulnerability allows attackers to manipulate the 'loadFile' parameter to traverse directory structures and access files outside the intended scope of the plugin's operation. When an authenticated user with sufficient privileges makes an AJAX request to the loadLogFile endpoint, the plugin processes the supplied file path without proper validation, enabling attackers to specify absolute paths or utilize directory traversal sequences such as ../ to navigate to sensitive system files. This weakness directly maps to CWE-22 Path Traversal vulnerability classifications and represents a critical security gap in the plugin's input processing logic.
The operational impact of this vulnerability extends beyond simple information disclosure, as attackers can potentially access critical system files containing database connection strings, API keys, authentication tokens, and other sensitive credentials that could compromise the entire WordPress installation. The vulnerability affects all versions up to and including 6.4.2, indicating a long-standing issue that has persisted across multiple releases without proper mitigation. Attackers exploiting this vulnerability can systematically enumerate and read configuration files, log files, and potentially even core WordPress files, providing them with comprehensive insight into the system's architecture and security posture.
Organizations running affected versions of the ShortPixel plugin face significant risk exposure, particularly when the plugin is installed on production systems where Editor-level accounts may be compromised or where multiple users possess elevated privileges. The vulnerability's exploitation requires only authenticated access, making it particularly dangerous in environments where user access controls are not properly enforced or where accounts may be subject to credential theft through phishing or other social engineering attacks. From an attack framework perspective, this vulnerability aligns with ATT&CK technique T1213 Data from Information Repositories, where adversaries extract sensitive data from system files and logs through path traversal methods.
Mitigation strategies should prioritize immediate patching of the plugin to the latest secure version that addresses the path traversal vulnerability. System administrators should also implement additional access controls, including role-based access restrictions that limit Editor-level privileges to only necessary functions, and consider implementing file access monitoring to detect unusual file reading patterns. Network-level protections such as web application firewalls can help detect and block malicious path traversal attempts, while regular security audits should verify that no unauthorized file access has occurred. The vulnerability underscores the importance of proper input validation and the principle of least privilege in plugin development and deployment, as well as the necessity of maintaining current security patches for all WordPress components.