CVE-2021-24376

The CVE-2021-24376 entry concerns the Autoptimize WordPress plugin prior to 2.7.8. The issue is a race-condition vulnerability where, after extracting an uploaded archive via Import Settings, the plugin attempts to delete malicious files (e.g., PHP) but does not fully inspect the extracted folder...

WordPress 代码问题漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on PHP and MySQL servers. A security vulnerability exists in WordPress Autoptimize plugin versions prior to 2.7.8, which allows an...

WordPress 竞争条件问题漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on PHP and MySQL servers. A security vulnerability exists in WordPress Autoptimize plugin versions prior to 2.7.8, which allows an...

WordPress 跨站脚本漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on PHP and MySQL servers. A security vulnerability exists in WordPress Autoptimize plugin versions prior to 2.7.8, which allows an...

WordPress Cross-Site Scripting Vulnerability (CNVD-2021-37139)

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the WordPress Autoptimize WordPress plugin prior to...

CVE-2021-24332

The Autoptimize WordPress plugin before 2.8.4 was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues...

CVE-2021-24332

The Autoptimize WordPress plugin before 2.8.4 was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues...

Cross site scripting

The Autoptimize WordPress plugin before 2.8.4 was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues...

CVE-2021-24332

CVE-2021-24332 affects the WordPress Autoptimize plugin before version 2.8.4. The vulnerability stems from missing escaping and sanitisation in certain settings, enabling highly privileged (authenticated) users to inject XSS payloads that are stored (stored XSS). Documented impacts include authen...

CVE-2021-24332 Autoptimize < 2.8.4 - Authenticated Stored Cross-Site Scripting (XSS)

The Autoptimize WordPress plugin before 2.8.4 was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues...

WordPress 跨站脚本漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the WordPress Autoptimize WordPress plugin prior to...

Autoptimize < 2.8.4 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues PoC Adds the following payloads in the API Key settings /wp-admin/options-general.php?page=aocritcss " -- PoC 1...

Autoptimize < 2.8.4 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues Adds the following payloads in the API Key settings /wp-admin/options-general.php?page=aocritcss "alert/XSS/ --...

WordPress Autoptimize plugin <= 2.8.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by m0ze in WordPress Autoptimize plugin versions = 2.8.3. Solution Update the WordPress Autoptimize plugin to the latest available version at least 2.8.4...

WordPress Plugin Autoptimize Authenticated Arbitrary File Upload Vulnerability

WordPress is a blogging platform based on the PHP language, which can be used to set up a website on a server that supports PHP and MySQL databases, and can also be used as a content management system CMS. WordPress Plugin Autoptimize Authenticated suffers from an arbitrary file upload...

WordPress Autoptimize Shell Upload

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Wordpress Autoptimize Authenticated File Upload', 'Description' = %q The aoccssimport AJAX call does not ensure that the file provided is a...

WordPress Plugin Autoptimize 2.7.6 - Authenticated Arbitrary File Upload (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Wordpress Autoptimize Authenticated File Upload', 'Description' = %q The aoccssimport AJAX call does not ensure that the file provided is a...

Autoptimize < 2.7.8 - Race Condition leading to RCE

The plugin attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on the disk but not yet removed. It ...

Autoptimize < 2.7.8 - Authenticated Stored XSS via File Upload

The plugin does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute when a victim visits index.html...

Autoptimize < 2.7.8 - Arbitrary File Upload via "Import Settings"

The plugin attempts to delete malicious files such as .php form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not remove...