CVE-2021-24376

CWE-434 — Unrestricted File Upload CWE-94 — Code Injection3 documents3 sources

Severity

9.8CRITICAL

EPSS

10.0%

top 6.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Autoptimize Autoptimize Autoptimize

Timeline

PublishedJun 21

Latest updateMay 24

Description

The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the "Import Settings" functionality to achieve Remote Code Execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5unknown/autoptimize2.7.8 — 2.7.8

▶NVDautoptimize/autoptimize< 2.7.8

🔴Vulnerability Details

GHSA

GHSA-8637-ph22-g43w: The Autoptimize WordPress plugin before 2↗2022-05-24

▶

CVEList

Autoptimize < 2.7.8 - Arbitrary File Upload via "Import Settings"↗2021-06-21

▶