CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
What the vulnerability does
The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings.
Explanation of Vulnerability in Simple Terms
Crush.pics Image Optimizer versions up to 1.8.7 lack proper authorization checks, allowing authenticated users to modify image data or settings they should not have access to. An attacker with a low-privilege account can alter images or configuration without proper permission validation. The vulnerability affects the integrity of stored images but does not expose sensitive data or cause service disruption.
What an attacker can do
Modify images or image settings belonging to other users or the site.
Potential impact on your site
Users' images may be altered or deleted by other authenticated users without authorization.
Conditions required to exploit
Attacker must have a low-privilege user account on the site.
Key dates
External resources
Related vulnerabilities
