CVE-2021-24378

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

4.8MEDIUM

EPSS

0.2%

top 54.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Autoptimize Autoptimize Autoptimize

Timeline

PublishedJun 21

Latest updateMay 24

Description

The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute when a victim visits index.html inside the plugin directory.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/autoptimize2.7.8 — 2.7.8

▶NVDautoptimize/autoptimize< 2.7.8

🔴Vulnerability Details

GHSA

GHSA-27r4-rp49-685c: The Autoptimize WordPress plugin before 2↗2022-05-24

▶

CVEList

Autoptimize < 2.7.8 - Authenticated Stored XSS via File Upload↗2021-06-21

▶