CVE-2020-24948

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Autoptimize
Vendor: CVE Published:; 3 September 2020

Summary

The ao_ccss_import AJAX call in Autoptimize Wordpress Plugin 2.7.6 does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to remote command execution.

References

https://wpvulndb.com/vulnerabilities/10372

x_refsource_MISC

http://packetstormsecurity.com/files/160850/WordPress-Aut...

x_refsource_MISC

EPSS Score

54% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 3, 2020
Vulnerability Reserved
Aug 28, 2020