One of the changelog entries for the latest version of the plugin MegaOptim Image Optimizer is “Security Improvements”. Looking at the changes made in that version it appears that refers to checking if the user making requests to the plugin’s AJAX accessible functions in the file /includes/classes/MGO_Ajax.php are logged in to WordPress. That serves no purpose since those are registered to only be accessible by those logged in WordPress. While looking into that we found that at least with the function to handle saving the plugin’s settings there should be a check to limit what level of logged user can access it, but it is missing. We have notified the developer of that.

…

[Read more]