CVE-2019-25217

Name of the Vulnerable Software and Affected Versions SiteGround Optimizer plugin for WordPress versions up to 5.0.12 Caldera Forms versions prior to the latest update

Description The vulnerability is related to authorization bypass, leading to Remote Code Execution and Local File Inclusion. This is due to incorrect use of an access control attribute on the switch php function called via the "/switch-php" REST API route. Attackers can include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Recommendations For SiteGround Optimizer plugin for WordPress versions up to 5.0.12: Update to the latest version immediately to mitigate risks. For Caldera Forms versions prior to the latest update: Update to the latest version immediately to mitigate risks. As a temporary workaround, consider disabling the switch php function until a patch is available. Restrict access to the vulnerable API endpoint "/switch-php" to minimize the risk of exploitation.