Plattform
wordpress
Komponente
image-optimizer-wpssk
Behoben in
1.2.1
CVE-2025-12190 describes a Cross-Site Request Forgery (CSRF) vulnerability present in the Image Optimizer by wps.sk plugin for WordPress. This flaw allows unauthenticated attackers to trigger bulk optimization actions if they can trick a site administrator into clicking a malicious link. The vulnerability impacts versions 0.0.0 through 1.2.0, and a patch is expected to be released by the vendor.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized bulk optimization of images. An attacker could craft a malicious link that, when clicked by a WordPress administrator, would initiate the optimization process without their knowledge or consent. This could lead to excessive server load, resource exhaustion, and potentially degrade website performance. While the vulnerability doesn't directly expose sensitive data, the attacker could leverage it to disrupt site operations or perform other actions depending on the plugin's functionality and administrator privileges.
CVE-2025-12190 was publicly disclosed on 2025-12-05. There are currently no publicly available proof-of-concept exploits. The vulnerability's CVSS score of 4.3 (Medium) suggests a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog. Monitor security advisories and plugin updates for further information.
WordPress websites utilizing the Image Optimizer by wps.sk plugin, particularly those with administrator accounts that are regularly exposed to phishing attempts or other social engineering tactics, are at risk. Shared hosting environments where multiple websites share the same server resources could experience broader impact if one site is compromised.
• wordpress / composer / npm:
grep -r 'imagopby_ajax_optimize_gallery' /var/www/html/wp-content/plugins/image-optimizer-by-wps-sk/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=imagopby_ajax_optimize_gallery&some_param=value | grep -i 'referer'• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'image-optimizer-by-wps-sk'disclosure
Exploit-Status
EPSS
0.02% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2025-12190 is to immediately upgrade the Image Optimizer by wps.sk plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out requests lacking proper nonce validation for the imagopbyajaxoptimize_gallery() function. Additionally, restrict administrator access to the plugin's optimization features and educate users about the risks of clicking suspicious links. After upgrading, verify the fix by attempting to trigger the optimization process via a crafted URL and confirming that it is blocked.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Vulnerability eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-12190 is a Cross-Site Request Forgery (CSRF) vulnerability in the Image Optimizer by wps.sk WordPress plugin, allowing attackers to trigger unauthorized image optimization actions.
You are affected if your WordPress site uses the Image Optimizer by wps.sk plugin in versions 0.0.0 through 1.2.0.
Upgrade the Image Optimizer by wps.sk plugin to a patched version. If upgrading isn't possible, implement a WAF rule to validate nonces.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the wps.sk website and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.