CVE-2025-14482 is a vulnerability identified in the Crush.pics Image Optimizer – Image Compression and Optimization plugin for WordPress, affecting all versions up to 1.8.7. The core issue is a missing authorization check (CWE-862) on multiple plugin functions, allowing authenticated users with Subscriber-level privileges or higher to modify plugin settings without proper capability verification. This flaw enables unauthorized modification of critical plugin configurations such as disabling automatic image compression and adjusting image quality parameters. Since WordPress Subscriber roles typically have limited permissions, this vulnerability expands their influence beyond intended boundaries, potentially undermining site optimization and performance. The vulnerability has a CVSS v3.1 base score of 4.3 (medium severity), with an attack vector of network (remote), low attack complexity, requiring privileges (low), no user interaction, and unchanged scope. There is no direct impact on confidentiality or availability, but the integrity of plugin settings is compromised. No known exploits have been reported in the wild, and no official patches have been released as of the publication date. The vulnerability was reserved in December 2025 and published in January 2026. The plugin is widely used in WordPress environments for image optimization, making this vulnerability relevant to many websites that rely on Crush.pics for media management.

The primary impact of CVE-2025-14482 is the unauthorized modification of plugin settings by low-privilege authenticated users, which can degrade website image optimization effectiveness. This may lead to increased page load times, higher bandwidth usage, and a poorer user experience due to suboptimal image compression settings. While it does not directly expose sensitive data or cause service outages, the integrity of the website’s media optimization process is compromised. Attackers could disable auto-compression or reduce image quality, potentially affecting SEO rankings and user engagement. Organizations with multiple users having Subscriber or higher roles are at greater risk, especially if role assignments are not tightly controlled. The vulnerability could also be leveraged as part of a broader attack chain to weaken site performance or facilitate other malicious activities by degrading site reliability or user trust.

To mitigate CVE-2025-14482, organizations should immediately audit user roles and permissions within their WordPress installations to ensure that only trusted users have Subscriber-level or higher access. Limit the number of users with such privileges and enforce the principle of least privilege. Monitor plugin settings regularly for unauthorized changes, particularly image compression and quality parameters. Until an official patch is released, consider temporarily disabling or replacing the Crush.pics plugin with alternative image optimization solutions that enforce proper authorization. Implement web application firewalls (WAFs) with rules to detect and block suspicious requests targeting plugin settings endpoints. Stay informed about updates from the plugin vendor and apply patches promptly once available. Additionally, consider employing WordPress security plugins that can enforce capability checks and alert on unauthorized configuration changes.