CVE-2025-11378 MEDIUM

CVE-2025-11378: ShortPixel Image Optimizer <= 6.3.4 - Authenticated (Contributor+) Settings Import/Export

Vendor Shortpixel
Product ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Weakness CWE-862 · Missing authorization
Published October 18, 2025
Last update April 8, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'shortpixel_ajaxRequest' AJAX action in all versions up to, and including, 6.3.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to export and import site options.

Explanation of Vulnerability in Simple Terms

02Summary

ShortPixel Image Optimizer versions up to 6.3.4 lack proper authorization checks, allowing authenticated users to read and modify sensitive data they should not access. An attacker with a low-privilege account can view or alter image optimization settings and metadata belonging to other users or the site. Update to a version newer than 6.3.4.

What an attacker can do

03Attacker Capabilities

Read and modify image optimization data and settings belonging to other users.

Potential impact on your site

04Site Impact

Unauthorized users can access and alter image optimization settings, potentially exposing or corrupting image metadata.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account on the site (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

October 18, 2025 CVE published
April 8, 2026 Record updated