WordPress Plugin Vulnerabilities

WP-Optimize < 4.2.0 - Admin+ SQLi

Description

The plugin does not properly escape user input when checking image compression statuses, which could allow users with the administrator role to conduct SQL Injection attacks in the context of Multi-Site WordPress configurations.

Proof of Concept

Affects Plugins

Plugin icon
wp-optimize
Fixed in 4.2.0

References

CVE
CVE-2025-3951
YouTube Video

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Francisco Alisson
Submitter
Francisco Alisson
Verified
Yes
WPVDB ID
220c195f-3df3-4883-8e0b-a0cf019e6323

Timeline

Publicly Published
2025-05-12 (about 7 months ago)
Added
2025-05-12 (about 7 months ago)
Last Updated
2025-05-12 (about 7 months ago)

Other

Published
Title
Published
2025-09-09
Title
Testimonial <= 2.3 - Authenticated (Contributor+) SQL Injection
Published
2024-05-30
Title
HTML5 Video Player < 2.5.27 - Unauthenticated SQLi
Published
2025-05-16
Title
Sticky Radio Player <= 3.4 - Authenticated (Contributor+) SQL Injection
Published
2025-08-28
Title
iATS Online Forms <= 1.2 - Authenticated (Contributor+) SQL Injection via order Parameter
Published
2025-04-07
Title
3DPrint Lite <=2.1.3.6 - Authenticated (Admin+) SQL Injection via 'infill_text'