{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25387", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:07.231Z", "datePublished": "2026-02-19T08:27:02.035Z", "dateUpdated": "2026-04-28T16:14:57.464Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "image-optimization", "product": "Image Optimizer by Elementor", "vendor": "Elementor", "versions": [{"changes": [{"at": "1.7.2", "status": "unaffected"}], "lessThanOrEqual": "1.7.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:34.944Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Elementor Image Optimizer by Elementor image-optimization allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Image Optimizer by Elementor: from n/a through <= 1.7.1.</p>"}], "value": "Missing Authorization vulnerability in Elementor Image Optimizer by Elementor image-optimization allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Optimizer by Elementor: from n/a through <= 1.7.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:57.464Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/image-optimization/vulnerability/wordpress-image-optimizer-by-elementor-plugin-1-7-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Image Optimizer by Elementor plugin <= 1.7.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T18:49:42.551557Z", "id": "CVE-2026-25387", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:38:26.501Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25387", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T18:49:42.551557Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T18:49:36.900Z"}}], "cna": {"title": "WordPress Image Optimizer by Elementor plugin <= 1.7.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Elementor", "product": "Image Optimizer by Elementor", "versions": [{"status": "affected", "changes": [{"at": "1.7.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.7.1"}], "packageName": "image-optimization", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:34.944Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/image-optimization/vulnerability/wordpress-image-optimizer-by-elementor-plugin-1-7-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Elementor Image Optimizer by Elementor image-optimization allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Optimizer by Elementor: from n/a through <= 1.7.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Elementor Image Optimizer by Elementor image-optimization allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Image Optimizer by Elementor: from n/a through <= 1.7.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:09.350Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25387", "state": "PUBLISHED", "dateUpdated": "2026-04-28T01:38:26.501Z", "dateReserved": "2026-02-02T12:53:07.231Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:02.035Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Elementor Image Optimizer by Elementor image-optimization allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Optimizer by Elementor: from n/a through <= 1.7.1."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en Elementor Image Optimizer de Elementor image-optimization permite la explotaci\u00f3n de niveles de seguridad de control de acceso mal configurados. Este problema afecta a Image Optimizer de Elementor: desde n/a hasta &lt;= 1.7.1."}], "id": "CVE-2026-25387", "lastModified": "2026-04-28T02:16:06.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-19T09:16:20.817", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/image-optimization/vulnerability/wordpress-image-optimizer-by-elementor-plugin-1-7-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Image Optimizer by Elementor", "source": "cna", "vendor": "Elementor"}, "product": "image_optimizer_by_elementor", "vendor": "elementor"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:21:14.694107+00:00", "value": {"mitigation_remediation": ["Upgrade Elementor Image Optimizer to version 1.7.2 or later, which removes the missing authorization check.", "If an immediate upgrade is not possible, permanently disable or uninstall the plugin to eliminate the exposed functionality.", "Review site access controls and restrict direct access to plugin endpoints, ensuring only authenticated administrators can interact with plugin APIs."], "summary": {"action": "Update", "impact": "Unauthorized Access or Control"}, "threat_synthesis": {"affected_systems": "The issue affects the WordPress plugin Elementor Image Optimizer by Elementor, with all releases up to and including version 1.7.1 susceptible. Sites running this plugin without the latest update are at risk. Since the plugin runs in a WordPress environment, any WordPress site that has installed the vulnerable version is potentially impacted.", "description_and_impact": "The vulnerability is a missing authorization check in Elementor Image Optimizer by Elementor, as described in the CVE, allowing attackers to exploit incorrectly configured access control. This broken access control can let an unauthenticated or low\u2011privileged user gain unauthorized access to functionality normally restricted by the plugin, potentially leading to data exposure or unauthorized configuration changes. The weakness aligns with CWE\u2011862.", "risk_and_exploitability": "The CVSS base score of 4.3 indicates moderate severity. An EPSS score of less than 1% suggests the probability of public exploitation is very low at the time of analysis, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires the attacker to reach the plugin\u2019s protected endpoints, which are typically exposed to all visitors; thus the likely attack vector is remote via HTTP requests. Because the flaw stems from a missing authorization layer, an attacker who can trigger the vulnerable endpoint can bypass restrictions without needing valid credentials."}}}}, "created": "2026-02-20T10:08:37.033113+00:00", "updated": "2026-04-16T00:30:18.857783+00:00", "vendors": ["elementor", "elementor$PRODUCT$image_optimizer_by_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}