CVE-2025-12190 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Image Optimizer plugin by wps.sk for WordPress, affecting all versions up to and including 1.2.0. The vulnerability stems from missing or incorrect nonce validation in the imagopby_ajax_optimize_gallery() function, which is responsible for handling bulk image optimization requests via AJAX. Nonces in WordPress are security tokens used to verify that a request comes from a legitimate source and prevent CSRF attacks. Because this validation is absent or flawed, an attacker can craft a malicious link or webpage that, when visited by a site administrator, triggers the bulk optimization process without their explicit consent. This attack vector does not require the attacker to be authenticated, but it does require the administrator to interact with the malicious content (e.g., clicking a link). The impact is limited to integrity, as unauthorized bulk optimization could lead to unintended changes in image files or excessive server resource consumption, potentially degrading site performance. Confidentiality and availability are not directly affected. The CVSS 3.1 base score is 4.3 (medium), reflecting the low complexity of attack but the requirement for user interaction and limited impact scope. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The plugin is used in WordPress environments, which are prevalent across many European organizations, especially in sectors relying on content management and e-commerce. The vulnerability highlights the importance of proper nonce implementation in AJAX handlers to prevent CSRF attacks in WordPress plugins.

For European organizations, this vulnerability could lead to unauthorized bulk image optimization operations on WordPress sites using the affected plugin. While it does not compromise sensitive data or cause downtime, it can degrade website performance by triggering resource-intensive processes without consent. This may result in slower page loads, increased server load, and potential disruption of user experience, which can indirectly affect business operations, especially for e-commerce or media-heavy sites. Attackers exploiting this vulnerability could also use it as part of a broader attack chain, leveraging the compromised site state for further malicious activities. Organizations with strict uptime and performance requirements may face reputational damage or operational inefficiencies. The requirement for administrator interaction means social engineering is a key risk factor, emphasizing the need for user awareness. Given the widespread use of WordPress in Europe, particularly in Germany, the UK, France, and the Netherlands, the potential impact is significant in these markets. However, the absence of known exploits in the wild reduces immediate risk but does not eliminate the need for proactive mitigation.

1. Update the Image Optimizer by wps.sk plugin to a version that includes proper nonce validation once available. 2. If no patch exists, implement custom nonce verification in the imagopby_ajax_optimize_gallery() AJAX handler to ensure requests are legitimate. 3. Restrict access to the optimization functionality to trusted administrator roles only, possibly by limiting AJAX endpoint access via server or application-level controls. 4. Educate site administrators about the risks of clicking unsolicited links and the importance of verifying URLs before interaction to reduce social engineering risks. 5. Monitor server logs for unusual bulk optimization requests or spikes in resource usage that could indicate exploitation attempts. 6. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block suspicious CSRF patterns targeting WordPress AJAX endpoints. 7. Regularly audit WordPress plugins for security best practices, especially nonce usage in AJAX calls, to prevent similar vulnerabilities.