The vulnerability CVE-2025-11519 in the Optimole WordPress plugin arises from an insecure direct object reference (IDOR) due to inadequate validation of a user-controlled key parameter in the /wp-json/optml/v1/move_image REST API endpoint. This endpoint is designed to allow media management functions such as moving or offloading images. However, the plugin fails to properly verify that the authenticated user has the authorization to perform actions on the specified media resource. As a result, any authenticated user with Author-level access or higher can manipulate the key parameter to offload media files owned by other users, bypassing intended access controls. This flaw is categorized under CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability affects all versions up to 4.1.0 of the plugin. The CVSS v3.1 base score is 4.3, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The impact is limited to integrity, as unauthorized media offloading could lead to data manipulation or unauthorized content distribution. No patches or fixes are currently linked, and no active exploitation has been reported. The vulnerability highlights the importance of strict authorization checks on user-supplied parameters in REST API endpoints, especially in plugins handling media and content management.

The primary impact of this vulnerability is unauthorized integrity modification, allowing attackers with Author-level WordPress privileges to offload media files they do not own. This could lead to unauthorized redistribution, manipulation, or deletion of media assets, potentially damaging brand reputation or violating content ownership policies. While confidentiality and availability are not directly affected, the unauthorized offloading of media could be leveraged in broader attacks such as social engineering or content spoofing. Organizations relying on the Optimole plugin for image optimization and CDN services may face risks of media content misuse or unauthorized access to proprietary images. The scope is limited to authenticated users with Author or higher privileges, which reduces the attack surface but still poses a significant risk in multi-user WordPress environments. No known exploits in the wild reduce immediate risk, but the vulnerability should be addressed promptly to prevent future exploitation.

To mitigate this vulnerability, organizations should: 1) Immediately update the Optimole plugin to a patched version once available, as no patch is currently linked. 2) Restrict Author-level and higher privileges to trusted users only, minimizing the number of accounts that can exploit this flaw. 3) Implement additional access control mechanisms at the WordPress level, such as custom capability checks or security plugins that monitor REST API usage. 4) Monitor REST API logs for unusual activity related to the /wp-json/optml/v1/move_image endpoint, especially requests involving media keys not owned by the requester. 5) Consider temporarily disabling the Optimole plugin or the vulnerable endpoint if patching is not immediately possible. 6) Educate site administrators on the risks of granting Author-level access to untrusted users. 7) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious API calls targeting media manipulation endpoints. These steps go beyond generic advice by focusing on privilege management, monitoring, and temporary containment until official fixes are released.