CVE-2026-7252

The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unscheduledoriginalfiledeletion function in all versions up to, and including, 4.5.2 Th...

WordPress WP-Optimize plugin <= 4.5.0 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update and Image Manipulation vulnerability

Missing Authorization to Authenticated Subscriber+ Plugin Settings Update and Image Manipulation vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin WP-Optimize versions = 4.5.0...

CVE-2023-25491

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Samuel Marshall JCH Optimize plugin = 3.2.2 versions...

Malicious code in wavefunction-optimize-css-assets-webpack-plugin-development-ursa (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 25aeb382914a3761927c689bda3eefcfcfc97e0a1a8d7b2dfbecea0ce3f3077c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-148327 Malicious code in stream-optimize-css-assets-webpack-plugin-nodemon-pulsar (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fae29f63ab3edd79a6f27157b2a92d2fd2d219f65bf803de9275b448418c9dba This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in wolf-optimize-css-assets-webpack-plugin-vuepress-procyon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3768fb0a7b12ce6b9004fe6f38b1fa116ddf2101ee2e81d55bd64ea323991bc6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-44466 Malicious code in gravity-optimize-css-assets-webpack-plugin-selenium-rollup-plugin (npm)

The package gravity-optimize-css-assets-webpack-plugin-selenium-rollup-plugin was found to contain malicious code...

CVE-2025-3951

The WP-Optimize WordPress plugin before 4.2.0 does not properly escape user input when checking image compression statuses, which could allow users with the administrator role to conduct SQL Injection attacks in the context of Multi-Site WordPress configurations...

CVE-2025-3951 WP-Optimize < 4.2.0 - Admin+ SQLi

The WP-Optimize WordPress plugin before 4.2.0 does not properly escape user input when checking image compression statuses, which could allow users with the administrator role to conduct SQL Injection attacks in the context of Multi-Site WordPress configurations...

CVE-2025-3951

CVE-2025-3951 affects the WP-Optimize WordPress plugin prior to version 4.2.0. The issue is improper escaping of user input when checking image compression statuses, which could enable users with the administrator role in Multi-Site WordPress configurations to perform SQL Injection attacks. Publi...

CVE-2025-3951 WP-Optimize < 4.2.0 - Admin+ SQLi

The WP-Optimize WordPress plugin before 4.2.0 does not properly escape user input when checking image compression statuses, which could allow users with the administrator role to conduct SQL Injection attacks in the context of Multi-Site WordPress configurations...

CVE-2024-30481

Broken Access Control vulnerability in Samuel Marshall JCH Optimize.This issue affects JCH Optimize: from n/a through 4.0.0...

CVE-2021-24219

The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before 2.3.9.4, Thrive Quiz Builder WordPress plugin...

Cross site scripting

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Samuel Marshall JCH Optimize plugin = 3.2.2 versions...

CVE-2022-2635

The Autoptimize WordPress plugin before 3.1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...