WordPress Plugin Vulnerabilities

Crush.pics Image Optimizer <= 1.8.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

Description

The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings.

Affects Plugins

Plugin icon
crush-pics
No known fix

References

CVE
CVE-2025-14482
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5e71bf15-aee0-4efc-a1c6-faad9f6e4f38

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
ChamlaVic
Verified
No
WPVDB ID
f56cb673-1d65-47c7-b462-7e3306a2d568

Timeline

Publicly Published
2026-01-13 (about 2 months ago)
Added
2026-01-13 (about 2 months ago)
Last Updated
2026-01-14 (about 2 months ago)

Other

Published
Title
Published
2025-12-18
Title
myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program < 2.9.7.2 - Missing Authorization to Sensitive Information Exposure
Published
2026-02-17
Title
Taskbuilder < 5.0.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Project/Task Comment Creation
Published
2025-05-16
Title
BERTHA AI <= 1.12.11 - Missing Authorization
Published
2025-11-24
Title
Autochat Automatic Conversation <= 1.1.9 - Missing Authorization to Unauthenticated Settings Update
Published
2025-06-09
Title
Membership For WooCommerce < 2.8.2 - Missing Authorization