Plateforme
wordpress
Composant
image-optimizer-wpssk
Corrigé dans
1.2.1
CVE-2025-12190 describes a Cross-Site Request Forgery (CSRF) vulnerability present in the Image Optimizer by wps.sk plugin for WordPress. This flaw allows unauthenticated attackers to trigger bulk optimization actions if they can trick a site administrator into clicking a malicious link. The vulnerability impacts versions 0.0.0 through 1.2.0, and a patch is expected to be released by the vendor.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized bulk optimization of images. An attacker could craft a malicious link that, when clicked by a WordPress administrator, would initiate the optimization process without their knowledge or consent. This could lead to excessive server load, resource exhaustion, and potentially degrade website performance. While the vulnerability doesn't directly expose sensitive data, the attacker could leverage it to disrupt site operations or perform other actions depending on the plugin's functionality and administrator privileges.
CVE-2025-12190 was publicly disclosed on 2025-12-05. There are currently no publicly available proof-of-concept exploits. The vulnerability's CVSS score of 4.3 (Medium) suggests a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog. Monitor security advisories and plugin updates for further information.
WordPress websites utilizing the Image Optimizer by wps.sk plugin, particularly those with administrator accounts that are regularly exposed to phishing attempts or other social engineering tactics, are at risk. Shared hosting environments where multiple websites share the same server resources could experience broader impact if one site is compromised.
• wordpress / composer / npm:
grep -r 'imagopby_ajax_optimize_gallery' /var/www/html/wp-content/plugins/image-optimizer-by-wps-sk/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=imagopby_ajax_optimize_gallery&some_param=value | grep -i 'referer'• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'image-optimizer-by-wps-sk'disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 3%)
CISA SSVC
Vecteur CVSS
The recommended mitigation for CVE-2025-12190 is to immediately upgrade the Image Optimizer by wps.sk plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out requests lacking proper nonce validation for the imagopbyajaxoptimize_gallery() function. Additionally, restrict administrator access to the plugin's optimization features and educate users about the risks of clicking suspicious links. After upgrading, verify the fix by attempting to trigger the optimization process via a crafted URL and confirming that it is blocked.
Aucun correctif connu n'est disponible. Veuillez examiner en profondeur les détails de la vulnérabilité et mettre en œuvre des mesures d'atténuation en fonction de la tolérance au risque de votre organisation. Il peut être préférable de désinstaller le logiciel affecté et de trouver un remplacement.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-12190 is a Cross-Site Request Forgery (CSRF) vulnerability in the Image Optimizer by wps.sk WordPress plugin, allowing attackers to trigger unauthorized image optimization actions.
You are affected if your WordPress site uses the Image Optimizer by wps.sk plugin in versions 0.0.0 through 1.2.0.
Upgrade the Image Optimizer by wps.sk plugin to a patched version. If upgrading isn't possible, implement a WAF rule to validate nonces.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the wps.sk website and WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.