The vulnerability identified as CVE-2025-11378 affects the ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin for WordPress, specifically versions up to 6.3.4. This plugin is widely used to optimize images and convert them to modern formats like WebP and AVIF to improve website performance. The security flaw is classified under CWE-862 (Missing Authorization), indicating that the plugin fails to properly verify user capabilities before processing certain AJAX requests. The affected AJAX action, 'shortpixel_ajaxRequest', lacks a capability check, allowing any authenticated user with Contributor-level privileges or higher to perform unauthorized export and import of site options. This unauthorized access could lead to modification or leakage of configuration data, potentially impacting the confidentiality and integrity of the site’s settings. The vulnerability does not affect availability and does not require user interaction beyond authentication. The CVSS v3.1 score of 5.4 reflects a medium severity, with an attack vector of network, low attack complexity, and requiring privileges. No public exploits have been reported yet, but the vulnerability poses a risk especially in environments where Contributor-level users are common. The plugin’s broad usage in WordPress sites globally increases the potential attack surface. The missing authorization check is a critical oversight in the plugin’s security design, emphasizing the need for strict capability validation in AJAX handlers.

The primary impact of this vulnerability is unauthorized modification and potential leakage of site configuration options, which can compromise the confidentiality and integrity of the affected WordPress site. Attackers with Contributor-level access can export sensitive site options and import altered configurations, potentially leading to misconfigurations, privilege escalation, or exposure of sensitive data. While the vulnerability does not directly affect availability, the integrity compromise could facilitate further attacks or site instability. Organizations relying on this plugin may face risks of data leakage or unauthorized changes that could undermine trust and operational security. Since Contributor-level access is relatively low privilege, the attack surface includes a broad range of authenticated users, increasing the likelihood of exploitation in multi-user environments. The absence of known exploits in the wild currently limits immediate impact, but the vulnerability remains a significant risk if weaponized. Websites with multiple contributors or user-generated content workflows are particularly vulnerable.

To mitigate this vulnerability, organizations should immediately update the ShortPixel Image Optimizer plugin to a version that includes the proper authorization checks once released by the vendor. Until a patch is available, administrators should restrict Contributor-level and higher access to trusted users only, minimizing the number of users who can exploit the flaw. Implementing strict role-based access control (RBAC) policies and auditing user permissions can reduce exposure. Additionally, monitoring AJAX requests for unusual export or import activity related to 'shortpixel_ajaxRequest' can help detect exploitation attempts. Web application firewalls (WAFs) can be configured to block suspicious AJAX calls if feasible. Site administrators should also review and harden WordPress security configurations, including limiting plugin usage to essential components and regularly backing up site configurations to enable recovery from unauthorized changes. Finally, educating users about the risks of privilege misuse and maintaining vigilant patch management practices are critical.