CVE-2025-12015 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WordPress plugin 'Convert WebP & AVIF | Quicq,' developed by sanderkah. The issue arises from the lack of a capability check on the AJAX endpoint 'wp_ajax_wpqai_disconnect_quicq_afosto,' which handles requests to disconnect the Afosto service integrated with the plugin. This missing authorization allows any authenticated user with at least Subscriber-level privileges to invoke this endpoint and disconnect Afosto without proper permission validation. Since Subscriber-level access is commonly granted to users with minimal privileges, this vulnerability broadens the attack surface significantly. The impact is limited to unauthorized modification of plugin-related data, specifically the disconnection of Afosto, which may disrupt image optimization workflows or e-commerce integrations relying on Afosto. The vulnerability has a CVSS v3.1 base score of 4.3 (medium severity), reflecting its limited impact on confidentiality and availability but notable impact on integrity. Exploitation requires authentication but no additional user interaction. The vulnerability affects all plugin versions up to and including 2.0.0 and was publicly disclosed on November 13, 2025. No patches or known exploits have been reported at the time of disclosure. This vulnerability highlights the importance of enforcing proper capability checks on AJAX endpoints in WordPress plugins to prevent unauthorized actions by low-privilege users.

The primary impact of CVE-2025-12015 is the unauthorized modification of plugin state by disconnecting the Afosto service, which can disrupt image optimization and e-commerce functionalities dependent on this integration. While the vulnerability does not expose sensitive data or cause denial of service, it undermines the integrity of the plugin's operation and may lead to degraded website performance or broken workflows. Attackers with Subscriber-level access, which is often granted to registered users or customers, can exploit this flaw to interfere with site operations, potentially causing confusion or service interruptions. For organizations relying on this plugin for improving Google PageSpeed scores and image compression, this could result in reduced site performance and user experience degradation. Although the vulnerability does not directly compromise confidentiality or availability, the integrity impact and ease of exploitation by low-privilege users make it a concern for WordPress site administrators, especially those with multiple user roles and e-commerce integrations.

To mitigate CVE-2025-12015, organizations should immediately update the 'Convert WebP & AVIF | Quicq' plugin to a patched version once available from the vendor. Until a patch is released, administrators can implement the following specific mitigations: 1) Restrict Subscriber-level user capabilities by reviewing and tightening user role permissions to limit access to AJAX endpoints where possible. 2) Use a Web Application Firewall (WAF) to monitor and block unauthorized AJAX requests targeting 'wp_ajax_wpqai_disconnect_quicq_afosto.' 3) Disable or remove the plugin if it is not essential to reduce the attack surface. 4) Implement custom code or hooks to add capability checks on the vulnerable AJAX endpoint if feasible. 5) Monitor logs for suspicious activity related to the Afosto disconnection endpoint to detect potential exploitation attempts. 6) Educate site administrators and users about the risks of granting Subscriber-level access unnecessarily. These targeted mitigations go beyond generic advice by focusing on controlling access to the specific vulnerable functionality and monitoring for exploitation.