CVE-2021-24376

Name of the Vulnerable Software and Affected Versions Autoptimize WordPress plugin versions prior to 2.7.8

Description The issue is related to the "Import Settings" feature of the Autoptimize WordPress plugin, which improperly handles the extraction of uploaded archives. This allows an attacker to upload a zip file containing a directory with a PHP file, bypassing the plugin's attempt to delete malicious files. The vulnerability enables remote code execution.

Recommendations For versions prior to 2.7.8, update to version 2.7.8 or later to resolve the issue. As a temporary workaround, consider disabling the "Import Settings" feature until a patch is available. Restrict access to the uploaded archives and extracted folders to minimize the risk of exploitation. Avoid using the "Import Settings" functionality with untrusted sources until the issue is resolved.