WordPress EWWW Image Optimizer Plugin <= 7.2.0 is vulnerable to Sensitive Data Exposure
CVE-2023-40600

7.5HIGH

Key Information:

Vendor: WordPress
Status: Ewww Image Optimizer
Vendor: CVE Published:; 30 November 2023

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 12%

Summary

A vulnerability has been identified in the EWWW Image Optimizer plugin by Exactly WWW, which could allow the exposure of sensitive information to unauthorized users. This issue occurs only when the debug log is enabled, potentially leading to unauthorized access to sensitive data. Affected versions include all prior to 7.2.0, emphasizing the need for users to evaluate their security settings and ensure that debugging features are not exposing critical information.

Affected Version(s)

EWWW Image Optimizer <= 7.2.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-40600
Created by RandomRobbieBF

References

https://patchstack.com/database/vulnerability/ewww-image-...

vdb-entry

EPSS Score

12% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 30, 2023
🟡
Public PoC available
Nov 20, 2023
👾
Exploit known to exist
Nov 20, 2023
Vulnerability Reserved
Aug 17, 2023

Credit

Mika (Patchstack Alliance)