SiteGround Optimizer Plugin Vulnerable to Remote Code Execution
CVE-2019-25217

9.8CRITICAL

Key Information:

Vendor
Siteground
Status
Speed Optimizer – The All-in-one Performance-boosting Plugin
Vendor
CVE Published:
16 October 2024

Summary

The SiteGround Optimizer plugin for WordPress contains a vulnerability stemming from improper access control on the switch_php function accessed through the /switch-php REST API route. This weakness permits unauthorized users to bypass security measures, thereby allowing for Remote Code Execution (RCE) and Local File Inclusion (LFI). As a result, attackers can include and execute arbitrary files on the server, potentially running malicious PHP code. This can compromise sensitive data and system integrity, as it enables the execution of code hidden within seemingly innocuous file types like images, posing significant risks to WordPress installations reliant on this plugin.

Affected Version(s)

Speed Optimizer – The All-In-One Performance-Boosting Plugin * < 5.0.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://blog.sucuri.net/2019/03/vulnerability-disclosure-...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Marc-Alexandre Montpas
.