Medium severity5.4OSV Advisory· Published Oct 18, 2025· Updated Apr 15, 2026

CVE-2025-11378

Description

The ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'shortpixel_ajaxRequest' AJAX action in all versions up to, and including, 6.3.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to export and import site options.

Affected products

Short Pixel Optimizer/Shortpixel Image OptimiserOSV
Range: v4.14.6, v4.15.0, v4.15.2, …

Patches

74263060acaf

https://github.com/short-pixel-optimizer/shortpixel-image-optimiservia osv

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/short-pixel-optimizer/shortpixel-image-optimiser/commit/74263060acafbaf63b4a34f339a8b0dc35f2cad9nvd
plugins.trac.wordpress.org/changesetnvd
research.cleantalk.org/CVE-2025-11378nvd
www.wordfence.com/threat-intel/vulnerabilities/id/1f7e9eb5-e222-43fa-a14f-b9cbced6b8f5nvd

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000