平台
wordpress
组件
image-optimizer-wpssk
修复版本
1.2.1
CVE-2025-12190 describes a Cross-Site Request Forgery (CSRF) vulnerability present in the Image Optimizer by wps.sk plugin for WordPress. This flaw allows unauthenticated attackers to trigger bulk optimization actions if they can trick a site administrator into clicking a malicious link. The vulnerability impacts versions 0.0.0 through 1.2.0, and a patch is expected to be released by the vendor.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized bulk optimization of images. An attacker could craft a malicious link that, when clicked by a WordPress administrator, would initiate the optimization process without their knowledge or consent. This could lead to excessive server load, resource exhaustion, and potentially degrade website performance. While the vulnerability doesn't directly expose sensitive data, the attacker could leverage it to disrupt site operations or perform other actions depending on the plugin's functionality and administrator privileges.
CVE-2025-12190 was publicly disclosed on 2025-12-05. There are currently no publicly available proof-of-concept exploits. The vulnerability's CVSS score of 4.3 (Medium) suggests a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog. Monitor security advisories and plugin updates for further information.
WordPress websites utilizing the Image Optimizer by wps.sk plugin, particularly those with administrator accounts that are regularly exposed to phishing attempts or other social engineering tactics, are at risk. Shared hosting environments where multiple websites share the same server resources could experience broader impact if one site is compromised.
• wordpress / composer / npm:
grep -r 'imagopby_ajax_optimize_gallery' /var/www/html/wp-content/plugins/image-optimizer-by-wps-sk/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=imagopby_ajax_optimize_gallery&some_param=value | grep -i 'referer'• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'image-optimizer-by-wps-sk'disclosure
漏洞利用状态
EPSS
0.02% (3% 百分位)
CISA SSVC
CVSS 向量
The recommended mitigation for CVE-2025-12190 is to immediately upgrade the Image Optimizer by wps.sk plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out requests lacking proper nonce validation for the imagopbyajaxoptimize_gallery() function. Additionally, restrict administrator access to the plugin's optimization features and educate users about the risks of clicking suspicious links. After upgrading, verify the fix by attempting to trigger the optimization process via a crafted URL and confirming that it is blocked.
没有已知的补丁可用。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-12190 is a Cross-Site Request Forgery (CSRF) vulnerability in the Image Optimizer by wps.sk WordPress plugin, allowing attackers to trigger unauthorized image optimization actions.
You are affected if your WordPress site uses the Image Optimizer by wps.sk plugin in versions 0.0.0 through 1.2.0.
Upgrade the Image Optimizer by wps.sk plugin to a patched version. If upgrading isn't possible, implement a WAF rule to validate nonces.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the wps.sk website and WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。