CVE-2025-11519 is a security vulnerability classified as CWE-639 (Authorization Bypass Through User-Controlled Key) found in the Optimole WordPress plugin, which optimizes images by converting formats, lazy loading, and serving via CDN. The vulnerability exists in all versions up to and including 4.1.0 and is triggered via the /wp-json/optml/v1/move_image REST API endpoint. This endpoint lacks proper validation of a user-supplied key parameter, enabling authenticated users with Author-level privileges or higher to perform unauthorized actions on media files they do not own. Specifically, an attacker can offload or move media assets belonging to other users, effectively bypassing authorization controls. The flaw does not require user interaction beyond authentication and does not impact confidentiality or availability but compromises integrity by allowing unauthorized media manipulation. The CVSS v3.1 score is 4.3, reflecting a medium severity due to the limited impact scope and the requirement for authenticated access. No known exploits are currently reported in the wild. The vulnerability highlights the risk of insufficient access control checks in REST API endpoints within WordPress plugins, especially those handling media management. Organizations using the Optimole plugin should be aware of this risk and monitor for updates or patches from the vendor. Until patched, limiting Author-level user roles and auditing REST API calls can reduce exposure.

For European organizations, this vulnerability poses a moderate risk primarily to the integrity of website media content. Attackers with Author-level access can manipulate or offload media assets belonging to other users, potentially leading to unauthorized content changes or disruptions in media delivery. While confidentiality and availability remain unaffected, the integrity compromise can damage brand reputation, user trust, and content reliability, especially for media-heavy websites such as e-commerce, news, and marketing platforms. Organizations relying on WordPress with the Optimole plugin and permitting multiple users with Author or higher privileges are particularly vulnerable. The impact is heightened in sectors where media content authenticity is critical, such as digital publishing and online retail. Additionally, unauthorized media offloading could be leveraged as part of a broader attack chain, for example, to replace images with malicious content or disrupt user experience. However, the requirement for authenticated access limits exploitation to insiders or compromised accounts, reducing the overall attack surface.

1. Apply patches or updates from the Optimole plugin vendor as soon as they become available to address the authorization bypass. 2. In the interim, restrict the assignment of Author-level or higher roles to trusted users only, minimizing the number of accounts capable of exploiting the vulnerability. 3. Implement strict monitoring and logging of REST API calls, particularly to the /wp-json/optml/v1/move_image endpoint, to detect unusual or unauthorized media operations. 4. Employ Web Application Firewalls (WAFs) with custom rules to block or alert on suspicious REST API requests targeting the vulnerable endpoint. 5. Conduct regular audits of user roles and permissions within WordPress to ensure least privilege principles are enforced. 6. Educate site administrators and content managers about the risks of elevated privileges and encourage strong authentication practices to prevent account compromise. 7. Consider temporarily disabling the Optimole plugin or the affected REST API endpoint if patching is not immediately feasible and the risk is deemed high. 8. Review media asset integrity regularly to detect unauthorized changes or offloading activities.