CVE-2020-24948

Name of the Vulnerable Software and Affected Versions Autoptimize Wordpress Plugin version 2.7.6

Description The issue arises from the ao ccss import AJAX call, which fails to verify if the uploaded file is a legitimate Zip file. This allows high-privilege users to upload arbitrary files, including PHP files, leading to remote command execution.

Recommendations For Autoptimize Wordpress Plugin version 2.7.6, consider disabling the ao ccss import AJAX call until a patch is available to prevent the upload of arbitrary files. Restrict access to this functionality to minimize the risk of exploitation. Avoid using this feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.