CVE-2025-11519: 
WordPress vulnerability analysis and mitigation

The Optimole WordPress plugin (versions up to 4.1.0) contains an Insecure Direct Object Reference vulnerability (CVE-2025-11519) discovered on October 18, 2025. The vulnerability exists in the /wp-json/optml/v1/move_image REST API endpoint due to missing validation on a user-controlled key, allowing authenticated attackers with Author-level access or higher to offload media that doesn't belong to them (NVD).

The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) and has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue specifically affects the REST API endpoint /wp-json/optml/v1/move_image where insufficient validation of user-controlled keys allows for unauthorized media access (Wordfence).

The vulnerability allows authenticated attackers with Author-level privileges or higher to bypass authorization controls and offload media files that they should not have access to, potentially leading to unauthorized media management (NVD).

Users should upgrade to version 4.1.1 or later of the Optimole plugin, which contains fixes for this vulnerability. The fix was implemented in the plugin's REST API endpoint to properly validate user permissions for media access (WordPress Plugin).