What the vulnerability does
01Description
The ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'shortpixel_ajaxRequest' AJAX action in all versions up to, and including, 6.3.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to export and import site options.
Explanation of Vulnerability in Simple Terms
02Summary
ShortPixel Image Optimizer versions up to 6.3.4 lack proper authorization checks, allowing authenticated users to read and modify sensitive data they should not access. An attacker with a low-privilege account can view or alter image optimization settings and metadata belonging to other users or the site. Update to a version newer than 6.3.4.
What an attacker can do
03Attacker Capabilities
Read and modify image optimization data and settings belonging to other users.
Potential impact on your site
04Site Impact
Unauthorized users can access and alter image optimization settings, potentially exposing or corrupting image metadata.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account on the site (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
October 18, 2025
CVE published
April 8, 2026
Record updated