WordPress 跨站脚本漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the WordPress Autoptimize WordPress plugin prior to...

Autoptimize < 2.7.8 - Arbitrary File Upload via "Import Settings"

The plugin attempts to delete malicious files such as .php form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not remove...

WordPress Autoptimize plugin <= 2.7.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Marcin Węgłowski in WordPress Autoptimize plugin versions = 2.7.7. Solution Update the WordPress Autoptimize plugin to the latest available version at least 2.7.8...

CVE-2020-24948

The aoccssimport AJAX call in Autoptimize Wordpress Plugin 2.7.6 does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to remote command execution...