CVE-2025-14482
Unauthorized Data Modification in Crush.pics WordPress Plugin
Publication date: 2026-01-14
Last updated on: 2026-01-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| crush_pics | crush_pics | to 1.8.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Crush.pics Image Optimizer WordPress plugin allows authenticated users with Subscriber-level access or higher to modify plugin settings without proper authorization checks. This is due to missing capability checks on multiple functions in the plugin up to version 1.8.7. Attackers can change settings such as disabling auto-compression and altering image quality settings, which they should not normally be able to do.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing low-privileged authenticated users to change plugin settings, potentially degrading image optimization on your WordPress site. For example, attackers could disable automatic image compression or reduce image quality settings, which may lead to slower page load times, increased bandwidth usage, and a poorer user experience. It could also undermine site performance and resource usage due to unoptimized images.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized modification of plugin settings via AJAX actions in the Crush.pics plugin. Detection can focus on monitoring AJAX requests to the WordPress admin-ajax.php endpoint for suspicious calls to the Crush.pics AJAX actions such as 'wpic_change_compression_auto', 'wpic_custom_quality_data_save', or other related actions that modify plugin settings. Commands to detect such activity could include using web server access logs or network monitoring tools to filter requests containing 'action=wpic_change_compression_auto' or similar. For example, using grep on Apache logs: `grep 'action=wpic_change_compression_auto' /var/log/apache2/access.log` or using tools like tcpdump or Wireshark to monitor HTTP POST requests to admin-ajax.php with these parameters. Additionally, checking WordPress database options related to Crush.pics for unexpected changes might help detect exploitation. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Crush.pics plugin to a version later than 1.8.7 where the missing capability checks are fixed. If an update is not immediately available, restrict access to the WordPress admin-ajax.php endpoint to trusted users only, especially limiting Subscriber-level users from making AJAX requests that modify plugin settings. Additionally, review and harden user roles and capabilities to prevent unauthorized users from accessing plugin settings. Monitoring and logging AJAX requests related to Crush.pics can also help detect and respond to exploitation attempts. [2]