Arbitrary File Upload Vulnerability in Autoptimize WordPress Plugin
CVE-2020-24948

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Autoptimize
Vendor: CVE Published:; 3 September 2020

Summary

The Autoptimize WordPress Plugin version 2.7.6 contains a significant vulnerability that allows high privilege users to upload arbitrary files through the ao_ccss_import AJAX call. This occurs due to inadequate validation of the uploaded file, permitting non-Zip file uploads, such as PHP scripts. If exploited, this can lead to remote command execution, posing a severe risk to the integrity and security of the affected WordPress installations.

References

https://wpvulndb.com/vulnerabilities/10372

x_refsource_MISC

http://packetstormsecurity.com/files/160850/WordPress-Aut...

x_refsource_MISC

EPSS Score

54% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 3, 2020
Vulnerability Reserved
Aug 28, 2020