Insecure Direct Object Reference in Optimole Image Optimization Plugin for WordPress
CVE-2025-11519

4.3MEDIUM

Key Information:

Vendor

WordPress
Status
Optimole – Optimize Images | Convert Webp & Avif | Cdn & Lazy Load | Image Optimization
Vendor
CVE Published:
18 October 2025

What is CVE-2025-11519?

The Optimole plugin for WordPress experiences an Insecure Direct Object Reference vulnerability in all versions up to and including 4.1.0. This issue arises from insufficient validation on a user-controlled key via the /wp-json/optml/v1/move_image REST API endpoint. As a result, authenticated attackers with Author-level access and above can exploit this vulnerability to unlawfully offload media files that do not belong to them, potentially compromising the integrity and confidentiality of sensitive media resources.

Affected Version(s)

Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization * <= 4.1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://research.cleantalk.org/CVE-2025-11519
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dmitrii Ignatyev
JSON
.
CVE-2025-11519 : Insecure Direct Object Reference in Optimole Image Optimization Plugin for WordPress