Description
Missing Authorization vulnerability in Elementor Image Optimizer by Elementor image-optimization allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Optimizer by Elementor: from n/a through <= 1.7.1.
Published: 2026-02-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access or Control
Action: Update
AI Analysis

Impact

The vulnerability is a missing authorization check in Elementor Image Optimizer by Elementor, as described in the CVE, allowing attackers to exploit incorrectly configured access control. This broken access control can let an unauthenticated or low‑privileged user gain unauthorized access to functionality normally restricted by the plugin, potentially leading to data exposure or unauthorized configuration changes. The weakness aligns with CWE‑862.

Affected Systems

The issue affects the WordPress plugin Elementor Image Optimizer by Elementor, with all releases up to and including version 1.7.1 susceptible. Sites running this plugin without the latest update are at risk. Since the plugin runs in a WordPress environment, any WordPress site that has installed the vulnerable version is potentially impacted.

Risk and Exploitability

The CVSS base score of 4.3 indicates moderate severity. An EPSS score of less than 1% suggests the probability of public exploitation is very low at the time of analysis, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires the attacker to reach the plugin’s protected endpoints, which are typically exposed to all visitors; thus the likely attack vector is remote via HTTP requests. Because the flaw stems from a missing authorization layer, an attacker who can trigger the vulnerable endpoint can bypass restrictions without needing valid credentials.

Generated by OpenCVE AI on April 16, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Elementor Image Optimizer to version 1.7.2 or later, which removes the missing authorization check.
  • If an immediate upgrade is not possible, permanently disable or uninstall the plugin to eliminate the exposed functionality.
  • Review site access controls and restrict direct access to plugin endpoints, ensuring only authenticated administrators can interact with plugin APIs.

Generated by OpenCVE AI on April 16, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor image Optimizer By Elementor
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor image Optimizer By Elementor
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Elementor Image Optimizer by Elementor image-optimization allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Optimizer by Elementor: from n/a through <= 1.7.1.
Title WordPress Image Optimizer by Elementor plugin <= 1.7.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Elementor Image Optimizer By Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:51.935Z

Reserved: 2026-02-02T12:53:07.231Z

Link: CVE-2026-25387

cve-icon Vulnrichment

Updated: 2026-02-26T18:49:36.900Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:20.817

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25387

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:30:18Z

Weaknesses