{"id":"CVE-2025-11378","details":"The ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'shortpixel_ajaxRequest' AJAX action in all versions up to, and including, 6.3.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to export and import site options.","modified":"2026-04-10T05:21:37.870073Z","published":"2025-10-18T04:16:05.933Z","references":[{"type":"WEB","url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379473%40shortpixel-image-optimiser&new=3379473%40shortpixel-image-optimiser&sfp_email=&sfph_mail="},{"type":"WEB","url":"https://research.cleantalk.org/CVE-2025-11378"},{"type":"WEB","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/1f7e9eb5-e222-43fa-a14f-b9cbced6b8f5?source=cve"},{"type":"FIX","url":"https://github.com/short-pixel-optimizer/shortpixel-image-optimiser/commit/74263060acafbaf63b4a34f339a8b0dc35f2cad9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/short-pixel-optimizer/shortpixel-image-optimiser","events":[{"introduced":"0"},{"fixed":"74263060acafbaf63b4a34f339a8b0dc35f2cad9"}]}],"versions":["v4.14.6","v4.15.0","v4.15.2","v4.15.3","v4.16.0","v4.16.1","v4.16.3","v4.16.4","v4.17.0","v4.17.1","v4.17.2","v4.17.3","v4.17.4","v4.18.0","v4.18.1","v4.19.0","v4.19.1","v4.19.2","v4.19.3","v4.20.0","v4.20.1","v4.20.2","v4.21.0","v4.21.1","v4.21.2","v4.22.0","v4.22.1","v4.22.10","v4.22.2","v4.22.3","v4.22.4","v4.22.5","v4.22.6","v4.22.7","v4.22.8","v4.22.9","v5.0.0","v5.0.1","v5.0.2","v5.0.3","v5.0.4","v5.0.5","v5.0.6","v5.0.7","v5.0.8","v5.0.9","v5.1.0","v5.1.1","v5.1.2","v5.1.3","v5.1.4","v5.1.5","v5.1.6","v5.2.0","v5.2.1","v5.2.2","v5.2.3","v5.3.0","v5.4.0","v5.4.1","v5.4.2","v5.4.3","v5.5.0","v5.5.1","v5.5.2","v5.5.3","v5.5.4","v5.5.5","v5.6.0","v5.6.1","v5.6.2","v5.6.3","v5.6.4","v6.0.0","v6.0.1","v6.0.2","v6.0.3","v6.0.4","v6.0.5","v6.1.0","v6.1.1","v6.1.2","v6.1.3","v6.1.4","v6.2.0","v6.2.1","v6.2.2","v6.3.0","v6.3.1","v6.3.2","v6.3.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11378.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}]}