CVE-2025-14482
Unknown Unknown - Not Provided
Unauthorized Data Modification in Crush.pics WordPress Plugin

Publication date: 2026-01-14

Last updated on: 2026-01-14

Assigner: Wordfence

Description
The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-14
Last Modified
2026-01-14
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14482
EUVD
EUVD-2026-2537
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
crush_pics crush_pics to 1.8.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Crush.pics Image Optimizer WordPress plugin allows authenticated users with Subscriber-level access or higher to modify plugin settings without proper authorization checks. This is due to missing capability checks on multiple functions in the plugin up to version 1.8.7. Attackers can change settings such as disabling auto-compression and altering image quality settings, which they should not normally be able to do.

Impact Analysis

This vulnerability can impact you by allowing low-privileged authenticated users to change plugin settings, potentially degrading image optimization on your WordPress site. For example, attackers could disable automatic image compression or reduce image quality settings, which may lead to slower page load times, increased bandwidth usage, and a poorer user experience. It could also undermine site performance and resource usage due to unoptimized images.

Detection Guidance

This vulnerability involves unauthorized modification of plugin settings via AJAX actions in the Crush.pics plugin. Detection can focus on monitoring AJAX requests to the WordPress admin-ajax.php endpoint for suspicious calls to the Crush.pics AJAX actions such as 'wpic_change_compression_auto', 'wpic_custom_quality_data_save', or other related actions that modify plugin settings. Commands to detect such activity could include using web server access logs or network monitoring tools to filter requests containing 'action=wpic_change_compression_auto' or similar. For example, using grep on Apache logs: `grep 'action=wpic_change_compression_auto' /var/log/apache2/access.log` or using tools like tcpdump or Wireshark to monitor HTTP POST requests to admin-ajax.php with these parameters. Additionally, checking WordPress database options related to Crush.pics for unexpected changes might help detect exploitation. [2]

Mitigation Strategies

Immediate mitigation steps include updating the Crush.pics plugin to a version later than 1.8.7 where the missing capability checks are fixed. If an update is not immediately available, restrict access to the WordPress admin-ajax.php endpoint to trusted users only, especially limiting Subscriber-level users from making AJAX requests that modify plugin settings. Additionally, review and harden user roles and capabilities to prevent unauthorized users from accessing plugin settings. Monitoring and logging AJAX requests related to Crush.pics can also help detect and respond to exploitation attempts. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14482. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart