Description
The ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'shortpixel_ajaxRequest' AJAX action in all versions up to, and including, 6.3.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to export and import site options.
Published: 2025-10-18
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration modification
Action: Immediate Patch
AI Analysis

Impact

The ShortPixel Image Optimizer plugin for WordPress contains a missing capability check on the 'shortpixel_ajaxRequest' AJAX action, which allows an authenticated user with Contributor-level or higher permissions to export and import site options. This capability bypass enables the attacker to modify the plugin’s configuration data, potentially changing image optimization settings.

Affected Systems

ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF, all versions up to and including 6.3.4. The flaw can affect any WordPress site that has the plugin installed and employs user roles with Contributor or higher privileges.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score of <1% suggests a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers need only authenticated access with Contributor or higher roles; the exploitation path involves sending a crafted AJAX request to the plugin’s endpoint. The missing capability check allows the attacker to change configuration via the export/import functions.

Generated by OpenCVE AI on April 28, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ShortPixel Image Optimizer plugin to the latest stable version that includes the missing capability checks.
  • Review user accounts and remove unnecessary Contributor-level privileges from users who do not need them, ensuring only trusted accounts retain access.
  • Restrict the use of the 'shortpixel_ajaxRequest' endpoint by configuring WordPress role management or a security plugin to block AJAX requests from untrusted roles.
  • Proactively monitor site logs for unusual AJAX activity related to the ShortPixel plugin and investigate any suspicious requests.

Generated by OpenCVE AI on April 28, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Oct 2025 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Shortpixel
Shortpixel image Optimizer
Shortpixel shortpixel Image Optimizer
Wordpress
Wordpress wordpress
Vendors & Products Shortpixel
Shortpixel image Optimizer
Shortpixel shortpixel Image Optimizer
Wordpress
Wordpress wordpress

Sat, 18 Oct 2025 03:45:00 +0000

Type Values Removed Values Added
Description The ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'shortpixel_ajaxRequest' AJAX action in all versions up to, and including, 6.3.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to export and import site options.
Title ShortPixel Image Optimizer <= 6.3.4 - Authenticated (Contributor+) Settings Import/Export
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Shortpixel Image Optimizer Shortpixel Image Optimizer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:01.563Z

Reserved: 2025-10-06T16:43:29.722Z

Link: CVE-2025-11378

cve-icon Vulnrichment

Updated: 2025-10-20T18:41:00.533Z

cve-icon NVD

Status : Deferred

Published: 2025-10-18T04:16:05.933

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11378

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:45:15Z

Weaknesses