← back
CVE-2025-3951

WP-Optimize < 4.2.0 - Admin+ SQLi

CVSS 4.1 MEDIUMEPSS 0.3%
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.1EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
02 Jun 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The WP-Optimize WordPress plugin before 4.2.0 does not properly escape user input when checking image compression statuses, which could allow users with the administrator role to conduct SQL Injection attacks in the context of Multi-Site WordPress configurations.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Affected products
Unknown · WP-Optimize