Image optimization service by Optimole < 4.1.1 – Insecure Direct Object Reference to Authenticated (Author+) Media Offload | CVE 2025-11519 | Plugin Vulnerabilities

Description

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/move_image REST API endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to offload media that doesn't belong to them.

Affects Plugins

Fixed in 4.1.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9288ed60-b14b-4188-84d4-efe770093551

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

14aad974-bb18-40c9-b94a-813fd3373228

Timeline

Publicly Published

2025-10-17 (about 6 months ago)

Added

2025-10-17 (about 6 months ago)

Last Updated

2025-10-18 (about 6 months ago)

Other

Published

Title

Published

2025-10-14

Title

Quick Featured Images < 13.7.3 - Insecure Direct Object Reference to Image Manipulation

Published

2023-08-07

Title

Simple Blog Card < 1.32 - Subscriber+ Arbitrary Post Access

Published

2026-04-07

Title

Masteriyo LMS < 2.1.8 - Unauthenticated Authorization Bypass to Arbitrary Order Completion via Stripe Webhook Endpoint

Published

2025-12-29

Title

Backpack Traveler <= 2.10.3 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2024-06-03

Title

Essential Real Estate < 4.4.5 - Insecure Direct Object Reference to Arbitrary Attachment Deletion