{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12190", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-24T20:04:51.655Z", "datePublished": "2025-12-05T05:31:28.703Z", "dateUpdated": "2026-04-08T17:25:30.100Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:30.100Z"}, "affected": [{"vendor": "duddi", "product": "Image Optimizer by wps.sk", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Image Optimizer by wps.sk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the imagopby_ajax_optimize_gallery() function. This makes it possible for unauthenticated attackers to trigger bulk optimization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Image Optimizer by wps.sk <= 1.2.0 - Cross-Site Request Forgery to Bulk Image Optimization", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d321183a-f0ef-4b5b-855a-da95edb610b9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/image-optimizer-wpssk/tags/1.2.0/image-optimizer-wpssk.php"}, {"url": "https://plugins.svn.wordpress.org/image-optimizer-wpssk/tags/1.2.0/image-optimizer-wpssk.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sarawut Poolkhet"}], "timeline": [{"time": "2025-12-04T16:39:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T14:02:16.251019Z", "id": "CVE-2025-12190", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T14:02:22.968Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12190", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-05T14:02:16.251019Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T14:02:19.367Z"}}], "cna": {"title": "Image Optimizer by wps.sk <= 1.2.0 - Cross-Site Request Forgery to Bulk Image Optimization", "credits": [{"lang": "en", "type": "finder", "value": "Sarawut Poolkhet"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "duddi", "product": "Image Optimizer by wps.sk", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-04T16:39:41.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d321183a-f0ef-4b5b-855a-da95edb610b9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/image-optimizer-wpssk/tags/1.2.0/image-optimizer-wpssk.php"}, {"url": "https://plugins.svn.wordpress.org/image-optimizer-wpssk/tags/1.2.0/image-optimizer-wpssk.php"}], "descriptions": [{"lang": "en", "value": "The Image Optimizer by wps.sk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the imagopby_ajax_optimize_gallery() function. This makes it possible for unauthenticated attackers to trigger bulk optimization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:30.100Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12190", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:25:30.100Z", "dateReserved": "2025-10-24T20:04:51.655Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-05T05:31:28.703Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Image Optimizer by wps.sk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the imagopby_ajax_optimize_gallery() function. This makes it possible for unauthenticated attackers to trigger bulk optimization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-12190", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-05T06:16:06.740", "references": [{"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/image-optimizer-wpssk/tags/1.2.0/image-optimizer-wpssk.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/image-optimizer-wpssk/tags/1.2.0/image-optimizer-wpssk.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d321183a-f0ef-4b5b-855a-da95edb610b9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:07:03.657105+00:00", "value": {"mitigation_remediation": ["Deploy an updated version of the Image Optimizer by wps.sk plugin that includes proper nonce verification for the imagopby_ajax_optimize_gallery() function.", "If an update is unavailable, remove or disable the bulk optimization functionality until a fix is applied.", "Implement additional CSRF defenses such as validating the request origin or referrer and rejecting requests that lack a nonce.", "Restrict bulk optimization actions to users with the highest administrative privileges only.", "Use a web application firewall or security plugin to detect and block suspicious POST requests that do not contain a valid nonce or legitimate user agent."], "summary": {"action": "Apply Patch", "impact": "Unauthorized bulk image optimization"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the Image Optimizer by wps.sk WordPress plugin up to and including version 1.2.0. WordPress sites that have installed that plugin version are at risk.", "description_and_impact": "The Image Optimizer by wps.sk plugin is vulnerable to Cross\u2011Site Request Forgery due to missing or incorrect nonce validation in the imagopby_ajax_optimize_gallery() function. An attacker who can trick a site administrator into clicking a forged link can trigger automatic bulk image optimization, consuming server resources and potentially degrading site performance. This effect can lead to a denial\u2011of\u2011service scenario for media\u2011heavy sites.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a low\u2011to\u2011moderate severity, and the EPSS score is below 1%, suggesting a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers must lure an administrator to a forged request, so the vector relies on social engineering, but the lack of nonce validation provides a reliable path for attackers who succeed in tricking an admin."}}}}, "created": "2025-12-05T10:51:48.170655+00:00", "updated": "2026-04-21T01:15:20.127876+00:00", "vendors": ["duddi", "duddi$PRODUCT$image_optimizer", "wordpress", "wordpress$PRODUCT$wordpress"]}