CVE-2024-8480

Name of the Vulnerable Software and Affected Versions: The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress versions up to, and including, 7.2.7

Description: The issue is related to unauthorized modification of data due to a missing capability check on the sirv save prevented sizes function. This allows authenticated attackers with Contributor-level access and above to exploit the sirv upload file by chunks callback function, which lacks proper file type validation, enabling them to upload arbitrary files on the affected site's server. This may make remote code execution possible.

Recommendations: For versions up to, and including, 7.2.7, update to a version that includes the necessary capability checks and file type validation to prevent unauthorized data modification and potential remote code execution. As a temporary workaround, consider restricting access to the sirv upload file by chunks callback function and the sirv save prevented sizes function until a patch is available. Additionally, restrict the ability to upload files to only trusted users to minimize the risk of exploitation.