cleantalk
Vulnerabilities and Security Researches

Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF, CVE-2025-11519

CVE, Research URL

CVE-2025-11519

Home page URL

Security reports for Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF

Application

Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF

Published on
Oct 18, 2025
Research Description
The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/move_image REST API endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to offload media that doesn't belong to them.
Affected versions
max 4.1.1.
Status
vulnerable
Previous vulnerability researches
Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF (CVE-2024-4636) , Jun 07, 2024
Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF (CVE-2022-0969) , Jun 07, 2024
Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF (CVE-2025-11519) , Dec 10, 2025
Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF (CVE-2026-5217) , Apr 14, 2026
Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF (CVE-2026-5226) , Apr 14, 2026
New vulnerability
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder (CVE-2026-11777) , Jun 19, 2026
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder (CVE-2026-11776) , Jun 19, 2026
LearnPress – WordPress LMS Plugin (CVE-2026-8383) , Jun 19, 2026
WP Travel Gutenberg Blocks (CVE-2026-54808) , Jun 19, 2026
BetterDocs – Best Documentation, FAQ & Knowledge Base Plugin with AI Support (CVE-2026-12157) , Jun 19, 2026