CVE Vulnerability

CVE-2021-24377

The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on the disk but not yet removed. It is a bypass of CVE-2020-24948.

6.8 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

8.1 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://wpscan.com/vulnerability/85c0a564-2e56-413d-bc3a-1039343207e4 Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:autoptimize:autoptimize:*:*:*:*:*:wordpress:*:*
Information

Published : 2021-06-21 08:15

Updated : 2021-09-20 05:10

NVD link : CVE-2021-24377

Mitre link : CVE-2021-24377

Products Affected
No products.
CWE
CWE-362