CVE-2025-11378 in ShortPixel Image Optimizer Plugin
Summary
by MITRE • 10/18/2025
The ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'shortpixel_ajaxRequest' AJAX action in all versions up to, and including, 6.3.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to export and import site options.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/18/2025
The ShortPixel Image Optimizer plugin for WordPress presents a critical security vulnerability through its insufficient access control mechanisms within the shortpixel_ajaxRequest AJAX action. This flaw affects all plugin versions up to and including 6.3.4, creating a pathway for authenticated attackers who possess Contributor-level permissions or higher to manipulate site configuration data. The vulnerability stems from the absence of proper capability checks that should validate user permissions before allowing execution of sensitive operations. Attackers can leverage this weakness to perform unauthorized modifications to critical site options, potentially compromising the integrity and security posture of WordPress installations that rely on this plugin.
The technical nature of this vulnerability aligns with CWE-863, which addresses "Incorrect Authorization" conditions where the system fails to properly verify that an actor is authorized to perform a requested action. This specific implementation flaw allows unauthorized privilege escalation through the AJAX interface, bypassing the standard WordPress capability verification mechanisms that typically protect sensitive administrative functions. The vulnerability operates at the application layer, exploiting the plugin's AJAX handling system to execute malicious requests without proper authentication validation. This type of flaw represents a classic authorization bypass where the system assumes that authenticated users have appropriate permissions for all operations, failing to implement granular access controls for different administrative functions.
The operational impact of this vulnerability extends beyond simple data modification, as it enables attackers to manipulate core WordPress configuration settings through the import and export functionality. Contributors and higher-level users can potentially alter site options that control various aspects of the WordPress installation, including security settings, plugin configurations, and other critical parameters. This capability allows for persistent modifications that could be used to establish backdoors, disable security features, or redirect traffic to malicious endpoints. The vulnerability's exploitation requires only basic user authentication, making it particularly dangerous as it can be leveraged by attackers who have gained access to low-privilege accounts through social engineering, credential theft, or other means.
Mitigation strategies should focus on immediate plugin updates to versions that address the missing capability checks, ensuring that all AJAX actions properly validate user permissions before executing sensitive operations. Administrators should implement the principle of least privilege by restricting user roles and capabilities to only those required for specific tasks, reducing the potential impact of compromised accounts. Network-level monitoring should be enhanced to detect unusual AJAX activity patterns that might indicate exploitation attempts, particularly around the shortpixel_ajaxRequest endpoint. Security hardening measures including regular security audits, plugin vulnerability scanning, and implementation of web application firewalls can provide additional defense layers. The ATT&CK framework categorizes this vulnerability under T1078 Valid Accounts and T1566 Phishing, as it represents a path for attackers to escalate privileges through legitimate authentication mechanisms, and T1059 Command and Scripting Interpreter, as the exploitation involves executing administrative functions through the web interface. Organizations should also consider implementing automated patch management systems to ensure timely deployment of security updates across all WordPress installations.