CVE-2025-9945 in Optimize More CSS Plugin
Summary
by MITRE • 10/03/2025
The Optimize More! – CSS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the reset_plugin function. This makes it possible for unauthenticated attackers to reset the plugin's optimization settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/03/2025
The Optimize More! CSS plugin for WordPress represents a critical security vulnerability that exposes websites to cross-site request forgery attacks affecting all versions through 1.0.3. This flaw resides in the plugin's reset_plugin function which fails to implement proper nonce validation mechanisms. The vulnerability creates a significant risk for WordPress administrators who may unknowingly execute malicious actions when visiting compromised web pages or clicking on malicious links. The absence of nonce verification means that attackers can construct forged requests that appear legitimate to the WordPress system, effectively bypassing the standard authentication and authorization controls designed to protect plugin configuration settings.
The technical implementation of this vulnerability stems from inadequate input validation within the plugin's administrative interface. When administrators access certain pages or perform specific actions, the plugin processes requests without verifying that they originate from legitimate administrative sessions. This weakness allows attackers to craft malicious requests that target the reset_plugin function, enabling them to clear or reset optimization settings without proper authorization. The vulnerability specifically manifests when an unauthenticated attacker can manipulate the WordPress request flow to execute the reset functionality through a forged HTTP request.
The operational impact of this CSRF vulnerability extends beyond simple configuration resets and could potentially lead to more severe consequences for affected websites. An attacker who successfully exploits this vulnerability can disrupt site performance by resetting optimization parameters that may have been carefully configured for optimal loading speeds and resource management. This disruption could result in degraded user experience, increased server load, and potential security implications if the reset operation removes critical security configurations or optimization settings that protect against other attack vectors.
Security practitioners should note that this vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery vulnerabilities in web applications. The flaw also maps to ATT&CK technique T1059.001 for command and scripting interpreter, as attackers may leverage the compromised plugin functionality to execute arbitrary commands or modify system configurations. Organizations using this plugin version should immediately implement mitigations including updating to patched versions, implementing additional access controls, and monitoring for unauthorized configuration changes. The vulnerability demonstrates the critical importance of proper nonce implementation in WordPress plugins and highlights the need for comprehensive security testing of administrative functions to prevent unauthorized modifications to site configurations.