Description
Missing Authorization vulnerability in ShortPixel ShortPixel Adaptive Images shortpixel-adaptive-images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShortPixel Adaptive Images: from n/a through <= 3.10.0.
Published: 2025-04-01
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ShortPixel Adaptive Images plugin contains a Missing Authorization flaw (CWE‑862) that allows attackers to exploit incorrectly configured access control security levels. This missing authorization vulnerability enables users to perform privileged actions on the plugin without proper authentication. The flaw does not provide direct remote code execution or data exfiltration capabilities.

Affected Systems

WordPress sites that use the ShortPixel Adaptive Images plugin are affected. The issue applies to all releases from the initial build through version 3.10., inclusive. Any instance of the plugin at 3.10.0 or earlier is vulnerable.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. An attacker would target exposed plugin endpoints or administrative interfaces that lack proper authorization checks; success requires no pre‑existing credentials, as the missing authorization allows unauthorized requests to perform configuration changes. The potential impact is limited to unauthorized plugin configuration modifications rather than full system compromise.

Generated by OpenCVE AI on May 1, 2026 at 11:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ShortPixel Adaptive Images plugin to any version newer than 3.10.0.
  • If upgrading is not feasible, disable or remove the plugin to eliminate the exposed privilege.
  • Ensure that any REST API or administrative endpoints provided by the plugin require authenticated and authorized access before processing requests, restricting them to administrators only.

Generated by OpenCVE AI on May 1, 2026 at 11:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9473 Missing Authorization vulnerability in ShortPixel ShortPixel Adaptive Images allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ShortPixel Adaptive Images: from n/a through 3.10.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in ShortPixel ShortPixel Adaptive Images allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ShortPixel Adaptive Images: from n/a through 3.10.0. Missing Authorization vulnerability in ShortPixel ShortPixel Adaptive Images shortpixel-adaptive-images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShortPixel Adaptive Images: from n/a through <= 3.10.0.
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Wed, 02 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 21:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in ShortPixel ShortPixel Adaptive Images allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ShortPixel Adaptive Images: from n/a through 3.10.0.
Title WordPress ShortPixel Adaptive Images plugin <= 3.10.0 - Broken Authentication vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Shortpixel Shortpixel Adaptive Images
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:58.853Z

Reserved: 2025-03-26T09:21:01.287Z

Link: CVE-2025-30853

cve-icon Vulnrichment

Updated: 2025-04-02T14:12:20.899Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T21:15:45.573

Modified: 2026-04-23T15:27:11.783

Link: CVE-2025-30853

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:45:16Z

Weaknesses