WordPress Plugin Vulnerabilities

ShortPixel Image Optimizer < 6.3.5 - Authenticated (Contributor+) Settings Import/Export

Description

The ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'shortpixel_ajaxRequest' AJAX action in all versions up to, and including, 6.3.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to export and import site options.

Affects Plugins

Plugin icon
shortpixel-image-optimiser
Fixed in 6.3.5

References

CVE
CVE-2025-11378
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1f7e9eb5-e222-43fa-a14f-b9cbced6b8f5

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
cdfef655-9649-4a98-b7f2-3402237d8110

Timeline

Publicly Published
2025-10-17 (about 6 months ago)
Added
2025-10-17 (about 6 months ago)
Last Updated
2025-10-18 (about 6 months ago)

Other

Published
Title
Published
2023-09-05
Title
WP Accessibility Helper (WAH) < 0.6.2.5 - Missing Authorization via AJAX action
Published
2023-12-12
Title
CAOS < 4.7.15 - Unauthenticated Settings Update
Published
2024-05-20
Title
AdFoxly – Ad Manager, AdSense Ads & Ads.txt <= 1.8.5 - Missing Authorization to Unauthenticated Ad Status Update
Published
2025-11-29
Title
TNC Toolbox: Web Performance < 2.0.5 - Missing Authorization
Published
2024-03-26
Title
Multiple Page Generator Plugin – MPG < 3.4.1 - Missing Authorization via mpg_get_log_by_project_id