Product
The Optimole WordPress plugin before version 4.2.3 is vulnerable to stored cross-site scripting (XSS) due to insufficient input sanitization and output escaping on the 's' parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint, allowing unauthenticated attackers to inject arbitrary web scripts.