{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12015", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-21T13:43:07.658Z", "datePublished": "2025-11-13T08:27:46.239Z", "dateUpdated": "2026-04-08T16:34:33.653Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:33.653Z"}, "affected": [{"vendor": "sanderkah", "product": "Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_wpqai_disconnect_quicq_afosto' AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect Afosto"}], "title": "Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed <= 2.0.0 - Missing Authorization to Authenticated (Subscriber+) Afosto Disconnect", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/09f01dcc-685b-485b-8572-cdf73d0157dc?source=cve"}, {"url": "https://wordpress.org/plugins/quicq/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2025-11-12T20:23:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-13T20:24:53.321346Z", "id": "CVE-2025-12015", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T20:25:04.747Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12015", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-13T20:24:53.321346Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T20:24:57.808Z"}}], "cna": {"title": "Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed <= 2.0.0 - Missing Authorization to Authenticated (Subscriber+) Afosto Disconnect", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "sanderkah", "product": "Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-12T20:23:46.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/09f01dcc-685b-485b-8572-cdf73d0157dc?source=cve"}, {"url": "https://wordpress.org/plugins/quicq/"}], "descriptions": [{"lang": "en", "value": "The Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_wpqai_disconnect_quicq_afosto' AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect Afosto"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:33.653Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12015", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:34:33.653Z", "dateReserved": "2025-10-21T13:43:07.658Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-13T08:27:46.239Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_wpqai_disconnect_quicq_afosto' AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect Afosto"}], "id": "CVE-2025-12015", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-13T09:15:47.010", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/quicq/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/09f01dcc-685b-485b-8572-cdf73d0157dc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T21:12:20.048883+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to version 2.0.1 or later, or remove it if no longer needed.", "Restrict Subscriber and lower user roles from accessing the plugin\u2019s Ajax endpoints, or enforce stricter role permissions.", "Audit the Afosto connection settings regularly and monitor for unexpected changes."], "summary": {"action": "Patch", "impact": "Unauthorized modification of plugin settings"}, "threat_synthesis": {"affected_systems": "All installations of the Convert WebP & AVIF \u2013 Quicq plugin for WordPress with versions up to and including 2.0.0 are affected. The vulnerability exists in every WordPress site that has this plugin installed, regardless of other configuration settings.", "description_and_impact": "The Convert WebP & AVIF \u2013 Quicq WordPress plugin contains a missing capability check on the \"wpqai_disconnect_quicq_afosto\" AJAX endpoint, allowing authenticated users with Subscriber-level access or higher to trigger an operation that disconnects the Afosto service. This flaw permits attackers to alter the plugin\u2019s configuration and modify key data, potentially disrupting the integration with Afosto and undermining site functionality.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate impact, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication; a user with at least Subscriber privileges can invoke the unsecured AJAX endpoint, but no elevated privileges or network-level access are necessary. The primary consequence is unauthorized modification of plugin configuration rather than a full system compromise."}}}}, "created": "2025-11-13T15:50:06.162606+00:00", "updated": "2026-04-22T21:15:27.683845+00:00", "vendors": ["sanderkah", "sanderkah$PRODUCT$convert_webp_&_avif", "wordpress", "wordpress$PRODUCT$wordpress"]}