| CVE-2026-33813 | Panic when decoding large WEBP image on 32-bit platforms in golang.org/x/image | golang.org/x/image | golang.org/x/image/webp | - | - | 2026-04-21 19:21:28 | Deep Dive |
| CVE-2026-4335 | ShortPixel Image Optimizer <= 6.4.3 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title | shortpixel | ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF | Medium | 5.4 | 2026-03-26 02:25:20 | Deep Dive |
| CVE-2026-1356 | Converter for Media – Optimize images | Convert WebP & AVIF <= 6.5.1 - Unauthenticated Server-Side Request Forgery via src | mateuszgbiorczyk | Converter for Media – Optimize images | Convert WebP & AVIF | Medium | 4.8 | 2026-02-12 09:25:49 | Deep Dive |
| CVE-2026-1319 | Robin Image Optimizer <= 2.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Alternative Text Field | themeisle | Robin Image Optimizer – Unlimited Image Optimization & WebP Converter | Medium | 6.4 | 2026-02-05 08:25:43 | Deep Dive |
| CVE-2026-1246 | ShortPixel Image Optimizer <= 6.4.2 - Authenticated (Editor+) Arbitrary File Read via 'loadFile' Parameter | shortpixel | ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF | Medium | 4.9 | 2026-02-05 06:47:41 | Deep Dive |
| CVE-2026-24530 | WordPress WebP Conversion plugin <= 2.2 - Broken Access Control vulnerability | sheepfish | WebP Conversion | Medium | 5.3 | 2026-01-23 14:28:50 | Deep Dive |
| CVE-2025-15158 | WP Enable WebP <= 1.0 - Authenticated (Author+) Arbitrary File Upload | eastsidecode | WP Enable WebP | High | 8.8 | 2026-01-07 08:21:57 | Deep Dive |
| CVE-2025-13750 | Converter for Media <= 6.3.2 - Missing Authorization to Authenticated (Subscriber+) Optimized Image Deletion via regenerate-attachment REST Endpoint | mateuszgbiorczyk | Converter for Media – Optimize images | Convert WebP & AVIF | Medium | 4.3 | 2025-12-17 06:37:00 | Deep Dive |
| CVE-2025-11379 | WebP Express <= 0.25.9 - Unauthenticated Information Exposure | roselldk | WebP Express | Medium | 5.3 | 2025-12-04 04:29:00 | Deep Dive |
| CVE-2025-12457 | Enable SVG, WebP, and ICO Upload <= 1.1.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Uploads | ideastocode | Enable SVG, WebP, and ICO Upload | Medium | 6.4 | 2025-11-18 09:27:40 | Deep Dive |
| CVE-2025-13069 | Enable SVG, WebP, and ICO Upload <= 1.1.3 - Authenticated (Author+) Arbitrary File Upload via ICO Upload Bypass | ideastocode | Enable SVG, WebP, and ICO Upload | High | 8.8 | 2025-11-18 09:27:38 | Deep Dive |
| CVE-2025-12015 | Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed <= 2.0.0 - Missing Authorization to Authenticated (Subscriber+) Afosto Disconnect | sanderkah | Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed | Medium | 4.3 | 2025-11-13 08:27:46 | Deep Dive |
| CVE-2025-11519 | Image optimization service by Optimole <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Author+) Media Offload | optimole | Optimole – Optimize Images in Real Time | Medium | 4.3 | 2025-10-18 06:42:47 | Deep Dive |
| CVE-2025-11378 | ShortPixel Image Optimizer <= 6.3.4 - Authenticated (Contributor+) Settings Import/Export | shortpixel | ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF | Medium | 5.4 | 2025-10-18 03:33:23 | Deep Dive |
| CVE-2025-6626 | ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization <= 3.10.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via API URL | shortpixel | ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization | Medium | 4.4 | 2025-08-02 07:24:21 | Deep Dive |
| CVE-2024-13768 | CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts <= 4.2 - Cross-Site Request Forgery to Font Assignment Deletion | ashikcse | CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts | Medium | 4.3 | 2025-03-22 06:41:13 | Deep Dive |
| CVE-2025-0807 | CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts <= 4.2 - Cross-Site Request Forgery to Settings Update | ashikcse | CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts | Medium | 4.3 | 2025-03-22 06:41:10 | Deep Dive |
| CVE-2024-12060 | WP Media Optimizer (.webp) <= 1.4.0 - Reflected Cross-Site Scripting via wpmowebp-css-resources and wpmowebp-js-resources Parameters | francescosganga | WP Media Optimizer (.webp) | Medium | 6.1 | 2024-12-06 08:24:50 | Deep Dive |
| CVE-2024-9361 | Bulk images optimizer: Resize, optimize, convert to webp, rename ... <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Plugin Options Update | giuliopanda | Bulk images optimizer: Resize, optimize, convert to webp, rename … | Medium | 4.3 | 2024-10-18 04:32:55 | Deep Dive |
| CVE-2024-3633 | WebP & SVG Support <= 1.4.0 - Author+ Stored XSS via SVG | Unknown | WebP & SVG Support | - | - | 2024-06-26 06:00:02 | Deep Dive |
){kind=link}