The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on the disk but not yet removed. It is a bypass of CVE-2020-24948.
References
Link | Resource |
---|---|
https://wpscan.com/vulnerability/85c0a564-2e56-413d-bc3a-1039343207e4 | Exploit Third Party Advisory |
https://wpscan.com/vulnerability/85c0a564-2e56-413d-bc3a-1039343207e4 | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 05:52
Type | Values Removed | Values Added |
---|---|---|
References | () https://wpscan.com/vulnerability/85c0a564-2e56-413d-bc3a-1039343207e4 - Exploit, Third Party Advisory |
25 Jun 2021, 15:55
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:autoptimize:autoptimize:*:*:*:*:*:wordpress:*:* | |
CWE | CWE-362 | |
CVSS |
v2 : v3 : |
v2 : 6.8
v3 : 8.1 |
References | (CONFIRM) https://wpscan.com/vulnerability/85c0a564-2e56-413d-bc3a-1039343207e4 - Exploit, Third Party Advisory |
21 Jun 2021, 20:27
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-06-21 20:15
Updated : 2024-11-21 05:52
NVD link : CVE-2021-24377
Mitre link : CVE-2021-24377
CVE.ORG link : CVE-2021-24377
JSON object : View
Products Affected
autoptimize
- autoptimize
CWE
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')