CVE-2025-12015

The Convert WebP & AVIF | Quicq plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_wpqai_disconnect_quicq_afosto' AJAX endpoint. This affects all versions up to and including 2.0.0. The endpoint is intended for administrative actions but does not verify that the requesting user has the necessary permissions. As a result, any authenticated user, including those with Subscriber-level access, can invoke the disconnection action. The missing check constitutes a security flaw that allows low-privileged users to perform a sensitive operation. [1]

To exploit this vulnerability, an attacker must be authenticated to the WordPress site with at least a Subscriber account. No additional privileges are required. The attacker can send a crafted POST request to the AJAX endpoint to disconnect the Afosto service. This can be done without any prior interaction or authentication tokens beyond the standard WordPress nonce, which is often accessible to authenticated users. [1]

The impact is the unauthorized disconnection of the Afosto integration, which may disrupt image optimization services provided by the plugin. This could lead to a loss of functionality and potential degradation of the site's performance optimization features. The data modification is limited to the disconnection action, but it does not expose sensitive data or allow further privilege escalation. [1]

As of October 4, 2025, the plugin has been closed and is no longer available for download, likely due to guideline violations. There is no patched version, and users are advised to remove the plugin and seek alternative image optimization solutions. No workaround is provided, and site owners should ensure that any active installations are deactivated and uninstalled to prevent exploitation. [1]