CVE-2025-11378
BaseFortify
Publication date: 2025-10-18
Last updated on: 2025-10-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shortpixel | shortpixel_image_optimizer | 6.3.4 |
| shortpixel | shortpixel_image_optimizer | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the ShortPixel Image Optimizer plugin for WordPress, where a missing capability check on the 'shortpixel_ajaxRequest' AJAX action allows authenticated users with Contributor-level access or higher to modify data without proper authorization. Specifically, these users can export and import site options, which they should not normally be able to do.
How can this vulnerability impact me? :
The vulnerability can allow attackers with Contributor-level access or above to export and import site options, potentially leading to unauthorized changes in site configuration or data manipulation. This could compromise the integrity of the website's settings and functionality.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the ShortPixel Image Optimizer plugin to a version later than 6.3.4 where the missing capability check on the 'shortpixel_ajaxRequest' AJAX action is fixed. Additionally, restrict Contributor-level access and above to trusted users only until the update is applied.