WordPress Plugin Vulnerabilities

ShortPixel Adaptive Images < 3.10.1 - Missing Authorization

Description

The ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the handleDeactivation() function in all versions up to, and including, 3.10.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send a deactivation reason for the plugin.

Affects Plugins

Plugin icon
shortpixel-adaptive-images
Fixed in 3.10.1

References

CVE
CVE-2025-30853
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e3fdf38c-866b-4961-b937-2f1641c9fb20

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Peter Thaleikis
Verified
No
WPVDB ID
fe809beb-86e9-4274-9489-81b33c5a8d60

Timeline

Publicly Published
2025-04-01 (about 1 year ago)
Added
2025-04-08 (about 1 year ago)
Last Updated
2025-04-08 (about 1 year ago)

Other

Published
Title
Published
2023-11-13
Title
Essential Blocks for Gutenberg < 4.2.1 - Missing Authorization via AJAX actions
Published
2025-01-06
Title
WP Visitor Statistics (Real Time Traffic) < 7.6 - Missing Authorization
Published
2024-04-25
Title
Master Addons for Elementor < 2.0.5.6 - Missing Authorization on Duplicate Post
Published
2024-12-11
Title
Snippet Shortcodes < 4.1.7 - Authenticated (Subscriber+) Shortcode Deletion
Published
2025-06-26
Title
DWT < 3.3.7 - Unauthenticated Arbitrary User Password Reset