CVE-2025-14482 in Crush.Pics Image Optimizer Plugin
Summary
by MITRE • 01/14/2026
The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/27/2026
The Crush.pics Image Optimizer plugin for WordPress presents a critical authorization vulnerability that allows authenticated attackers with subscriber-level privileges or higher to manipulate core plugin functionality. This vulnerability stems from the absence of proper capability checks within multiple administrative functions, creating a path for privilege escalation through data modification. The flaw specifically affects all versions up to and including 1.8.7, indicating a widespread issue that has persisted across multiple releases. The vulnerability operates at the application layer, exploiting insufficient access controls to bypass normal security boundaries that should protect plugin configuration settings.
The technical implementation of this vulnerability lies in the plugin's failure to validate user permissions before executing modification operations. When authenticated users with subscriber-level access attempt to modify plugin settings, the system does not verify whether the requesting user possesses sufficient privileges to perform these actions. This missing validation allows attackers to manipulate critical configuration parameters including auto-compression features and image quality settings. The vulnerability manifests as a lack of capability checks that should enforce role-based access controls, where the system should verify that only administrators or users with appropriate permissions can modify core plugin functionality. This flaw directly relates to CWE-285, which addresses improper authorization in software systems, and represents a clear violation of the principle of least privilege in security design.
The operational impact of this vulnerability extends beyond simple configuration changes, as it provides attackers with the ability to fundamentally alter how the image optimization plugin functions within the WordPress environment. By disabling auto-compression features, attackers can prevent the automatic optimization of images, potentially leading to increased server load and bandwidth consumption. Additionally, changing image quality settings can result in either degraded user experience through lower quality images or increased resource consumption through higher quality settings. The vulnerability creates a persistent threat vector that allows attackers to maintain control over the plugin's behavior even after initial access, enabling them to establish long-term influence over the site's media handling capabilities. This type of vulnerability aligns with ATT&CK technique T1078.004, which covers valid accounts used for persistence, as authenticated users can maintain their access and modify settings without detection.
The security implications of this vulnerability are particularly concerning given that it requires minimal privileges to exploit, making it accessible to users who should not have administrative capabilities. The flaw enables attackers to potentially disrupt normal site operations while maintaining their access privileges, creating opportunities for further attacks or data manipulation. Organizations using this plugin are at risk of having their image optimization processes compromised, which can affect site performance, user experience, and potentially create additional security vectors through the manipulation of media files. The vulnerability's persistence across multiple versions suggests inadequate security testing and review processes during development, highlighting gaps in the plugin's security assurance practices.
Mitigation strategies should focus on immediate remediation through plugin updates to versions that include proper capability checks and authorization validation. System administrators should also implement additional monitoring to detect unauthorized configuration changes to plugin settings, particularly those that affect core functionality. Role-based access controls should be reviewed and enforced to ensure that users with subscriber-level privileges cannot access administrative functions. Network-level monitoring can help identify suspicious modification patterns, while regular security audits should verify that all administrative functions properly validate user permissions. Organizations should also consider implementing additional security measures such as web application firewalls to detect and prevent exploitation attempts, and ensure that all WordPress plugins undergo thorough security review before deployment to production environments. The vulnerability demonstrates the critical importance of implementing proper access controls and capability validation in all software components that handle administrative functions.