PT-2021-15911 · WordPress · Autoptimize
Marcin Węgłowski
·
Published
2021-06-21
·
Updated
2021-06-25
·
CVE-2021-24378
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Autoptimize WordPress plugin versions prior to 2.7.8
Description
The issue allows a high privilege user to upload malicious files, such as .html, containing JavaScript code via the 'Import Settings' feature. This code can execute when a victim visits index.html inside the plugin directory.
Recommendations
For versions prior to 2.7.8, update to version 2.7.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the 'Import Settings' feature to minimize the risk of exploitation.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Autoptimize