CVE-2022-1009

Name of the Vulnerable Software and Affected Versions Smush WordPress plugin versions prior to 3.9.9

Description The issue arises from the Smush WordPress plugin not sanitizing and escaping a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin to upload a malicious configuration file.

Recommendations For versions prior to 3.9.9, update to version 3.9.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin page where the configuration parameter is output to minimize the risk of exploitation. Avoid uploading untrusted configuration files to prevent potential attacks.