Platform
wordpress
Component
image-optimizer-wpssk
Opgelost in
1.2.1
CVE-2025-12190 describes a Cross-Site Request Forgery (CSRF) vulnerability present in the Image Optimizer by wps.sk plugin for WordPress. This flaw allows unauthenticated attackers to trigger bulk optimization actions if they can trick a site administrator into clicking a malicious link. The vulnerability impacts versions 0.0.0 through 1.2.0, and a patch is expected to be released by the vendor.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized bulk optimization of images. An attacker could craft a malicious link that, when clicked by a WordPress administrator, would initiate the optimization process without their knowledge or consent. This could lead to excessive server load, resource exhaustion, and potentially degrade website performance. While the vulnerability doesn't directly expose sensitive data, the attacker could leverage it to disrupt site operations or perform other actions depending on the plugin's functionality and administrator privileges.
CVE-2025-12190 was publicly disclosed on 2025-12-05. There are currently no publicly available proof-of-concept exploits. The vulnerability's CVSS score of 4.3 (Medium) suggests a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog. Monitor security advisories and plugin updates for further information.
WordPress websites utilizing the Image Optimizer by wps.sk plugin, particularly those with administrator accounts that are regularly exposed to phishing attempts or other social engineering tactics, are at risk. Shared hosting environments where multiple websites share the same server resources could experience broader impact if one site is compromised.
• wordpress / composer / npm:
grep -r 'imagopby_ajax_optimize_gallery' /var/www/html/wp-content/plugins/image-optimizer-by-wps-sk/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=imagopby_ajax_optimize_gallery&some_param=value | grep -i 'referer'• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'image-optimizer-by-wps-sk'disclosure
Exploit Status
EPSS
0.02% (3% percentiel)
CISA SSVC
CVSS-vector
The recommended mitigation for CVE-2025-12190 is to immediately upgrade the Image Optimizer by wps.sk plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out requests lacking proper nonce validation for the imagopbyajaxoptimize_gallery() function. Additionally, restrict administrator access to the plugin's optimization features and educate users about the risks of clicking suspicious links. After upgrading, verify the fix by attempting to trigger the optimization process via a crafted URL and confirming that it is blocked.
Geen bekende patch beschikbaar. Bestudeer de details van de kwetsbaarheid grondig en implementeer mitigaties op basis van de risicotolerantie van uw organisatie. Het kan het beste zijn om de getroffen software te verwijderen en een vervanging te vinden.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-12190 is a Cross-Site Request Forgery (CSRF) vulnerability in the Image Optimizer by wps.sk WordPress plugin, allowing attackers to trigger unauthorized image optimization actions.
You are affected if your WordPress site uses the Image Optimizer by wps.sk plugin in versions 0.0.0 through 1.2.0.
Upgrade the Image Optimizer by wps.sk plugin to a patched version. If upgrading isn't possible, implement a WAF rule to validate nonces.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the wps.sk website and WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.