Description
The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings.
Published: 2026-01-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of plugin configuration by an authenticated subscriber-level user
Action: Patch Immediately
AI Analysis

Impact

The Crush.pics Image Optimizer plugin for WordPress has a missing capability check in several AJAX handling functions. This flaw allows any authenticated user with Subscriber-level access or higher to change the plugin’s configuration, such as disabling auto‑compression or adjusting image quality. The change is purely a configuration alteration and does not provide direct remote code execution or denial of service, but it can degrade site performance and alter the visitor experience.

Affected Systems

Crush.pics Image Optimizer – Image Compression and Optimization for WordPress. All plugin releases from the initial version up to and including 1.8.7 are affected. No other vendors or products are impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact level. The EPSS score of less than 1% signals that exploitation likelihood is currently low. The vulnerability is not listed in CISA’s KEV catalog. Attackers require only an authenticated WordPress account with Subscriber privileges and do not need higher privileges. The oversight is likely triggered through a web‑based AJAX request; once the attacker gains access, they can modify settings without any additional systems or network steps, making it relatively simple for a determined user to exploit.

Generated by OpenCVE AI on April 21, 2026 at 23:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Crush.pics Image Optimizer to version 1.8.8 or newer
  • Revoke the ability for Subscriber-level users to access the plugin’s settings by adjusting WordPress capabilities
  • Audit the plugin configuration files and review access logs for unauthorized changes

Generated by OpenCVE AI on April 21, 2026 at 23:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Crushpics
Crushpics crush.pics Image Optimizer
Wordpress
Wordpress wordpress
Vendors & Products Crushpics
Crushpics crush.pics Image Optimizer
Wordpress
Wordpress wordpress

Wed, 14 Jan 2026 05:45:00 +0000

Type Values Removed Values Added
Description The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings.
Title Crush.pics Image Optimizer <= 1.8.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Crushpics Crush.pics Image Optimizer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:11.423Z

Reserved: 2025-12-10T19:10:58.805Z

Link: CVE-2025-14482

cve-icon Vulnrichment

Updated: 2026-01-14T15:44:44.260Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T06:15:52.597

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14482

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:00:03Z

Weaknesses