CVE-2021-24376
Autoptimize <= 2.7.7 - Arbitrary File Upload (and Remote Code Execution) via Import Settings
criticalUnrestricted Upload of File with Dangerous Type
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
2.7.8
Patched in
1201d
Time to patch
Description
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the "Import Settings" functionality to achieve Remote Code Execution.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAttack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability
Technical Details
Affected versions
<2.7.8PublishedOctober 9, 2020
Last updatedJanuary 22, 2024
Affected pluginautoptimize
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.