How is CVE-2026-39471 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS from a remote location. Authentication (required): An Author-level WordPress account (or any higher-privilege role) is required, so the attacker must possess or obtain valid credentials before exploiting the flaw. Victim interaction (not-required): No victim action such as clicking a link or opening a file is needed; the attacker can trigger the vulnerable code path directly. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond holding a valid account.

What is the impact of CVE-2026-39471?

A successful attacker can read sensitive data stored on the WordPress host, including database credentials, API keys, and stored user records. The attacker can modify or delete persisted data, including post content, plugin configuration, and database rows accessible to the PHP process. The attacker can crash or destabilize the WordPress service by triggering destructors that corrupt application state or exhaust server resources. Because all three impact dimensions (confidentiality, integrity, availability) score High, full compromise of the affected WordPress instance is within reach from a single exploitation chain.

Back to search

HIGHCVE-2026-39471Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39471: WordPress ShortPixel Image Optimizer plugin <= 6.4.3 - PHP Object Injection vulnerability

Q: What is CVE-2026-39471?

PHP Object Injection is a class of vulnerability where attacker-controlled data is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary PHP objects and chain them into destructive operations. This flaw affects the ShortPixel Image Optimizer WordPress plugin in versions 6.4.3 and earlier, and is reachable over the network by an authenticated user holding an Author-level account or higher. Successful exploitation enables full confidentiality loss, data tampering, and service disruption on the affected WordPress installation. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment upstream publishes a fix.

Q: Is CVE-2026-39471 patched?

No upstream fix has been published for this CVE as of the date of this record; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment ShortPixel releases a remediated version. For environments without an available fix, HarborGuard surfaces the open finding continuously so it remains visible in the risk queue until resolved.

Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions.

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a class of vulnerability where attacker-controlled data is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary PHP objects and chain them into destructive operations. This flaw affects the ShortPixel Image Optimizer WordPress plugin in versions 6.4.3 and earlier, and is reachable over the network by an authenticated user holding an Author-level account or higher. Successful exploitation enables full confidentiality loss, data tampering, and service disruption on the affected WordPress installation. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment upstream publishes a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-39471 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds including Patchstack, including custom-built images that bundle this WordPress plugin. Any image carrying ShortPixel Image Optimizer at version 6.4.3 or below is flagged automatically across connected registries and CI/CD pipelines.

Available

Triage

Triage is available with CVSS v3.1 scoring applied at a severity of HIGH (7.2), weighted against each customer environment's compliance policy to determine urgency and escalation path. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No upstream fix has been published for this CVE as of the date of this record; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment ShortPixel releases a remediated version. For environments without an available fix, HarborGuard surfaces the open finding continuously so it remains visible in the risk queue until resolved.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS from a remote location.
AuthenticationRequired
An Author-level WordPress account (or any higher-privilege role) is required, so the attacker must possess or obtain valid credentials before exploiting the flaw.
Victim interactionNot required
No victim action such as clicking a link or opening a file is needed; the attacker can trigger the vulnerable code path directly.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond holding a valid account.

Blast Radius

A successful attacker can read sensitive data stored on the WordPress host, including database credentials, API keys, and stored user records.
The attacker can modify or delete persisted data, including post content, plugin configuration, and database rows accessible to the PHP process.
The attacker can crash or destabilize the WordPress service by triggering destructors that corrupt application state or exhaust server resources.
Because all three impact dimensions (confidentiality, integrity, availability) score High, full compromise of the affected WordPress instance is within reach from a single exploitation chain.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously across all connected customer registries and pipelines, with findings surfaced at HIGH severity (CVSS 7.2) against any image carrying ShortPixel Image Optimizer at or below version 6.4.3. Because no upstream fix exists yet, HarborGuard re-evaluates the Patchstack advisory on every ingest cycle. The moment ShortPixel publishes a patched release, a rebuilt image at the fixed version becomes available; for customers who have opted into auto-remediation, the flow continues with a regression-test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include restricting Author-role account creation and login to trusted IP ranges via network policy, applying a web application firewall rule to block serialized PHP payloads in relevant request parameters, and auditing existing Author-level accounts for signs of unauthorized access.

See how HarborGuard automates this

Affected packages

ShortPixel / ShortPixel Image Optimizer
≤ 6.4.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified