ImageRecycle pdf & image compression <= 3.1.14 - Cross-Site Request in Several AJAX Actions

Vulnerability

The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 3.1.14. This is due to missing or incorrect nonce validation on several functions in the class/class-image-otimizer.php file [1]. The vulnerability affects plugin versions up to 3.1.14.

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a malicious request that performs actions such as updating plugin settings. The attacker must trick a site administrator into performing an action, such as clicking on a link, which triggers the forged request. No authentication is required for the attacker themselves, but user interaction from an administrator is necessary [1].

Impact

Successful exploitation allows an attacker to modify plugin settings and perform other actions on behalf of the administrator, potentially leading to further compromise of the WordPress installation. The attacker can achieve unauthorized changes to the plugin configuration, which may affect image compression settings or other plugin functionalities [1].

Mitigation

The vulnerability has been fixed in version 3.1.18, released on 2025-09-30. Users are advised to update to version 3.1.18 or later to mitigate the issue [1]. No workarounds have been published, and the plugin is not known to be listed in the CISA KEV catalog.