## https://sploitus.com/exploit?id=A421CF0C-0048-58EE-A8C4-F3EBF49171F1
# CVE-2026-11784: CSRF to Arbitrary File Overwrite in Optimole WordPress Plugin
## Summary
A Cross-Site Request Forgery (CSRF) vulnerability in the Optimole plugin for WordPress (versions <= 4.2.5) allows unauthenticated attackers to silently overwrite existing media library assets via the `wp_ajax_optml_replace_file` AJAX action due to a lack of nonce validation.
- **CVE ID**: CVE-2026-11784
- **Vulnerability Type**: Cross-Site Request Forgery (CSRF)
- **Affected Plugin**: Optimole โ Optimize Images
- **Remediation Version**: 4.2.6
- **Discoverer**: Alexandru Bucur
## Technical Analysis
The vulnerability resides in `inc/attachment_edit.php` within the `Optml_Attachment_Edit::replace_file()` method. While the function implements an authorization check using `current_user_can('edit_post', $id)`, it entirely omits an explicit anti-CSRF token verification (`check_ajax_referer`).
### The Image Validation Bypass
A naive CSRF attack passing a text string as a mock image fails because WordPress validates image integrity using GD Graphics Library / ImageMagick routines. To achieve a valid PoC, the exploit payload programmatically constructs a mathematically sound 1x1 JPEG binary via JavaScript `Uint8Array` and a Base64 string before submitting the multipart form.
## Proof of Concept
The exploit script can be found in the `/exploit` directory.
## Impact
- **Data Integrity Loss**: High-value media elements (logos, documents) can be overwritten.
- **XSS Escalation**: If the target media type allows SVG or executable execution vectors, this can easily lead to a full Stored Cross-Site Scripting exploit and complete site takeover.
## Timeline
- **May 14, 2026**: Initial discovery & submission.
- **June 2026**: Validated and assigned CVE-2026-11784.
- **June 2026**: Public Disclosure.