CVE-2026-2712
Description
The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the receive_heartbeat() function in includes/class-wp-optimize-heartbeat.php in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly invoking Updraft_Smush_Manager_Commands methods without verifying user capabilities, nonce tokens, or the allowed commands whitelist that the normal AJAX handler (updraft_smush_ajax) enforces. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-only Smush operations including reading log files (get_smush_logs), deleting all backup images (clean_all_backup_images), triggering bulk image processing (process_bulk_smush), and modifying Smush options (update_smush_options).
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/wp-optimize/tags/4.4.1/includes/class-wp-optimize-heartbeat.phpnvd
- plugins.trac.wordpress.org/browser/wp-optimize/tags/4.4.1/includes/class-wp-optimize-heartbeat.phpnvd
- plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-wp-optimize-heartbeat.phpnvd
- research.cleantalk.org/cve-2026-2712/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/6a0a376e-ea3a-40ca-9341-f28f92e15e02nvd
News mentions
0No linked articles in our index yet.