Primary

Context

Optimole WordPress Plugin Insecure Direct Object Reference Vulnerability Allowing Unauthorized Media Offload

Vulnerability

A vulnerability exists in the Optimole WordPress plugin, specifically in versions through 4.1.0. The issue is an Insecure Direct Object Reference (IDOR) that allows authenticated users with Author-level access or higher to offload media that does not belong to them. This vulnerability is accessible through the /wp-json/optml/v1/move_image REST API endpoint, where missing validation on a user-controlled key creates the opportunity for unauthorized media manipulation.

Impact

Exploitation of this vulnerability allows for unauthorized media offload, potentially leading to misuse or unauthorized access to media assets.

Remediation

Users can update to version 4.1.1 or a newer patched version to address this vulnerability.

Added: Oct 18, 2025, 7:21 AM

Updated: Oct 18, 2025, 7:21 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

7.7

relevance

0.8

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

7.7

relevance

0.8

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Optimole WordPress Plugin Insecure Direct Object Reference Vulnerability Allowing Unauthorized Media Offload

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating