– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-25387:
The Image Optimizer by Elementor plugin for WordPress versions up to and including 1.7.1 contains a missing authorization vulnerability. This flaw allows authenticated attackers with subscriber-level permissions or higher to perform unauthorized administrative actions. The vulnerability resides in the plugin’s REST API endpoint handlers where capability checks are improperly implemented.

Root Cause: The vulnerability exists in the `verify_nonce_and_capability` method within the `Route` class at `/image-optimization/classes/route.php`. In the vulnerable version (line 357-364), the method calls `verify_nonce()` but does not check its return value before proceeding to the capability check. The method returns an error only if the capability check fails, ignoring any nonce verification errors. This allows authenticated users with any role to bypass nonce validation and access protected endpoints. Multiple REST endpoint handlers in the `/image-optimization/modules/backups/rest/` directory call this method without proper error handling.

Exploitation: An attacker with subscriber-level access can send authenticated POST requests to vulnerable REST endpoints without valid nonces. The primary attack vectors include the `/wp-json/image-optimization/v1/backups/remove-backups` endpoint (DELETE method) and `/wp-json/image-optimization/v1/backups/restore-all` endpoint (POST method). The attacker must be authenticated and provide the required `nonce` parameter, but any value (including invalid or empty) will be accepted due to the missing validation. The payload structure is a standard WordPress REST API request with the `nonce` parameter.

Patch Analysis: The patch in version 1.7.2 modifies the `verify_nonce_and_capability` method at `/image-optimization/classes/route.php` lines 357-364. The updated code stores the result of `verify_nonce()` in a variable and returns any error immediately before proceeding to the capability check. Additionally, all affected REST endpoint handlers in the `/image-optimization/modules/backups/rest/` directory now check the return value of `verify_nonce_and_capability` and return errors appropriately. This ensures both nonce validation and capability checks must pass before executing protected actions.

Impact: Successful exploitation allows authenticated attackers with minimal privileges to perform administrative image optimization operations. Attackers can trigger bulk removal of image backups via the `remove-backups` endpoint or restore all optimized images to their original versions via the `restore-all` endpoint. This can disrupt site functionality, degrade performance by removing optimizations, or potentially cause data loss if backups are deleted. The vulnerability does not grant full administrative access but allows manipulation of the plugin’s core functionality.