CVE-2025-14482
📋 TL;DR
The Crush.pics WordPress plugin has a missing capability check vulnerability that allows authenticated users with Subscriber-level access or higher to modify plugin settings. This includes disabling auto-compression and changing image quality settings. All WordPress sites using this plugin up to version 1.8.7 are affected.
💻 Affected Systems
- Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could disable image optimization entirely, leading to degraded site performance, increased bandwidth costs, and potential SEO impact from slow-loading images.
Likely Case
Malicious users could disrupt image optimization workflows, causing inconsistent image quality across the site and minor performance degradation.
If Mitigated
With proper user access controls and monitoring, impact would be limited to temporary configuration changes that could be quickly reverted.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via AJAX endpoints. The vulnerability is publicly documented with code references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.8 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3210000%40crush-pics%2F1.8.8&old=3190000%40crush-pics%2F1.8.7
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Crush.pics Image Optimizer'. 4. Click 'Update Now' if available, or download version 1.8.8+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Temporary plugin deactivation
allDisable the Crush.pics plugin until patched
wp plugin deactivate crush-pics
Restrict user roles
allLimit Subscriber and Contributor role access or remove unnecessary user accounts
🧯 If You Can't Patch
- Implement strict user access controls and review all authenticated user accounts
- Monitor plugin settings changes and implement alerting for unauthorized modifications
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Crush.pics version. If version is 1.8.7 or lower, you are vulnerable.Check Version:
wp plugin get crush-pics --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 1.8.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to /wp-admin/admin-ajax.php with action parameters related to crush-pics
- Plugin setting changes from non-admin users
Network Indicators:
- POST requests to admin-ajax.php with crush-pics related parameters from non-admin IPs
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "action=crush_pics" AND (user_role="subscriber" OR user_role="contributor")🔗 References
- https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L193
- https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L30
- https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L66
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5e71bf15-aee0-4efc-a1c6-faad9f6e4f38?source=cve
