CVE-2025-12190 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Image Optimizer by wps.sk plugin for WordPress, affecting all versions up to and including 1.2.0. The vulnerability stems from the imagopby_ajax_optimize_gallery() function lacking proper nonce validation, which is a security token mechanism designed to verify the legitimacy of requests. Without this validation, attackers can craft malicious web requests that, when executed by an authenticated administrator (e.g., by clicking a specially crafted link), trigger bulk image optimization operations without the administrator's consent. This unauthorized action could lead to unintended modifications of image assets managed by the plugin, potentially affecting website content presentation or performance. The vulnerability requires no prior authentication but does require user interaction, specifically targeting administrators with sufficient privileges. The CVSS 3.1 base score is 4.3, reflecting a medium severity level due to the limited impact on confidentiality and availability, but a potential integrity impact. No patches or fixes are currently linked, and no exploits have been reported in the wild, indicating that the vulnerability is newly disclosed. The plugin is used within WordPress environments, which are widely deployed across Europe, making this a relevant concern for organizations relying on this plugin for image optimization tasks.

For European organizations, this vulnerability could lead to unauthorized modification of website image optimization processes, potentially degrading user experience or causing operational disruptions in content delivery. While it does not directly expose sensitive data or cause denial of service, the integrity of website content could be compromised, which may affect brand reputation and trust. Attackers exploiting this vulnerability could manipulate image optimization settings or trigger resource-intensive operations, potentially leading to performance issues. Organizations with high-traffic WordPress sites using this plugin are at increased risk. Additionally, if attackers combine this CSRF with other vulnerabilities or social engineering tactics, it could facilitate broader compromise. The impact is particularly relevant for sectors with strict content integrity requirements, such as media, e-commerce, and government websites. Given that exploitation requires administrator interaction, the risk can be mitigated by user awareness and administrative controls, but the threat remains significant due to the widespread use of WordPress and associated plugins in Europe.

To mitigate this vulnerability, organizations should immediately verify if they use the Image Optimizer by wps.sk plugin and upgrade to a patched version once available. In the absence of a patch, administrators should restrict access to the WordPress admin panel to trusted networks and users only, employing IP whitelisting or VPNs where feasible. Implementing Web Application Firewalls (WAFs) with rules to detect and block CSRF attempts targeting the imagopby_ajax_optimize_gallery() endpoint can provide interim protection. Administrators should be trained to recognize phishing and social engineering attempts that could trick them into clicking malicious links. Additionally, site owners can implement custom nonce validation or CSRF tokens in the plugin code as a temporary fix. Regular backups of website content and configurations are recommended to enable recovery from any unauthorized changes. Monitoring administrative actions and logs for unusual bulk optimization requests can help detect exploitation attempts early.