CVE-2026-39471

Vulnerability

A PHP Object Injection vulnerability exists in the ShortPixel Image Optimizer plugin for WordPress versions up to and including 6.4.3 [1]. The flaw stems from unsanitized user input being passed to PHP's unserialize() function, allowing injection of arbitrary serialized objects. This affects the plugin's handling of certain parameters where user-supplied data is deserialized without validation. The vulnerability is classified as Author-level, meaning an attacker needs at least an author account on the WordPress site to exploit it [1].

Exploitation

An attacker with author-level privileges can craft a malicious serialized payload and inject it via a vulnerable parameter [1]. The plugin will then unserialize the payload, potentially triggering a POP (Property Oriented Programming) chain if suitable magic methods exist in the WordPress core or plugin classes. No additional user interaction is required. The exploitation could be carried out in mass-exploit campaigns targeting thousands of sites [1].

Impact

Successful exploitation can result in a range of severe outcomes, including arbitrary code execution, SQL injection, path traversal, and denial of service [1]. The exact impact depends on the available POP chain. An attacker could gain full control over the affected WordPress site, leading to data theft, site defacement, or further compromise.

Mitigation

The vulnerability is fixed in version 6.4.4 [1]. Users should update to this version or later immediately. If unable to update, consider disabling the plugin or implementing a web application firewall rule to block malicious serialized payloads. Patchstack users can enable auto-updates for vulnerable plugins [1]. No other workarounds are documented in the available reference.