CVE-2025-11378
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to export and import site options without proper authorization. Attackers can modify critical WordPress settings, potentially compromising site functionality and security. All WordPress sites using ShortPixel Image Optimizer plugin versions up to 6.3.4 are affected.
💻 Affected Systems
- ShortPixel Image Optimizer WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify critical WordPress options like site URL, admin email, or security settings, leading to site takeover, data exposure, or complete site disruption.
Likely Case
Attackers export sensitive configuration data and modify non-critical settings to disrupt site operations or prepare for further attacks.
If Mitigated
With proper user access controls and monitoring, impact is limited to unauthorized data export and minor configuration changes.
🎯 Exploit Status
Requires authenticated access and knowledge of WordPress AJAX endpoints. Technical details are publicly available in commit diff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.3.5 and later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find ShortPixel Image Optimizer. 4. Click 'Update Now' if available, or download version 6.3.5+ from WordPress repository. 5. Replace plugin files with patched version.
🔧 Temporary Workarounds
Restrict User Roles
allTemporarily restrict Contributor and higher roles from accessing the site until patch is applied.
Disable Plugin
allDeactivate ShortPixel Image Optimizer plugin if image optimization is not immediately required.
🧯 If You Can't Patch
- Implement strict user access controls and monitor user activity logs
- Add web application firewall rules to block suspicious AJAX requests to shortpixel_ajaxRequest endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for ShortPixel Image Optimizer version. If version is 6.3.4 or lower, system is vulnerable.Check Version:
wp plugin list --name=shortpixel-image-optimiser --field=versionVerify Fix Applied:
After updating, verify plugin version shows 6.3.5 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to /wp-admin/admin-ajax.php with action=shortpixel_ajaxRequest from non-admin users
- Multiple option export/import operations in short timeframe
Network Indicators:
- POST requests to admin-ajax.php with shortpixel_ajaxRequest parameter from unexpected user roles
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "shortpixel_ajaxRequest" AND NOT user_role="administrator"🔗 References
- https://github.com/short-pixel-optimizer/shortpixel-image-optimiser/commit/74263060acafbaf63b4a34f339a8b0dc35f2cad9
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379473%40shortpixel-image-optimiser&new=3379473%40shortpixel-image-optimiser&sfp_email=&sfph_mail=
- https://research.cleantalk.org/CVE-2025-11378
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1f7e9eb5-e222-43fa-a14f-b9cbced6b8f5?source=cve
