Image Optimization by Optimole Vulnerability – Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload – CVE-2024-4636 | WordPress Plugin Vulnerability Report

Plugin Name: Image Optimization by Optimole

Key Information:

  • Software Type: Plugin
  • Software Slug: optimole-wp
  • Software Status: Active
  • Software Author: optimole
  • Software Downloads: 4,855,287
  • Active Installs: 200,000
  • Last Updated: May 14, 2024
  • Patched Versions: 3.13.0
  • Affected Versions: <= 3.12.10

Vulnerability Details:

  • Name: Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF <= 3.12.10 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-4636
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: May 14, 2024
  • Researcher: wesley (wcraft)
  • Description: The Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'allow_meme_types' function in versions up to, and including, 3.12.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The Image Optimization by Optimole plugin for WordPress has a vulnerability in versions up to and including 3.12.10 that allows authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability has been patched in version 3.13.0.

Detailed Overview:

The vulnerability was discovered by researcher wesley (wcraft) and has been assigned the CVE identifier CVE-2024-4636. It is categorized as an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability with a CVSS score of 6.4 (Medium). The vulnerability exists in the 'allow_meme_types' function of the plugin, which fails to properly sanitize and escape user input, allowing attackers to inject malicious scripts.

Exploitation of this vulnerability could lead to various security risks, including unauthorized access to sensitive user information, session hijacking, and the injection of malicious content on affected WordPress sites.

To remediate this vulnerability, users should update the Image Optimization by Optimole plugin to version 3.13.0 or later, which includes a patch addressing the issue.

Advice for Users:

  1. Immediate Action: Users are strongly encouraged to update the Image Optimization by Optimole plugin to version 3.13.0 or later to ensure their WordPress installations are not vulnerable to this Cross-Site Scripting attack.
  2. Check for Signs of Vulnerability: Site administrators should review their WordPress sites for any signs of unauthorized modifications or suspicious content that may indicate a successful exploitation of this vulnerability.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the Optimole developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 3.13.0 or later of the Image Optimization by Optimole plugin to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/optimole-wp

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/optimole-wp/image-optimization-by-optimole-lazy-load-cdn-convert-webp-avif-31210-authenticated-author-stored-cross-site-scripting-via-svg-upload

Detailed Report:

Attention all WordPress website owners and administrators! A critical security vulnerability has recently been discovered in the popular Image Optimization by Optimole plugin. This vulnerability, identified as CVE-2024-4636, poses a significant risk to the security of your website and the sensitive information it holds.

The Affected Plugin

The Image Optimization by Optimole plugin, active on over 200,000 WordPress websites, is designed to optimize images, provide lazy loading, and convert images to WebP and AVIF formats. The plugin, authored by optimole, has been downloaded over 4,855,287 times. The vulnerability affects versions up to and including 3.12.10, with version 3.13.0 being released on May 14, 2024, to address the issue.

The Vulnerability

Identified as an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability, CVE-2024-4636 was discovered by researcher wesley (wcraft). The vulnerability exists in the 'allow_meme_types' function of the plugin, which fails to properly sanitize and escape user input, allowing attackers to inject malicious scripts. Authenticated attackers with contributor-level permissions and above can exploit this vulnerability to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page.

Risks and Potential Impacts

Exploitation of this vulnerability could lead to various security risks, including unauthorized access to sensitive user information, session hijacking, and the injection of malicious content on affected WordPress sites. Attackers could potentially deface your website, steal user data, or use your site to distribute malware, putting your users and reputation at risk.

Remediation Steps

To mitigate this security risk, it is imperative that you take immediate action by updating the Image Optimization by Optimole plugin to version 3.13.0 or later. This updated version includes a patch that addresses the vulnerability, ensuring the safety and security of your WordPress site.

In addition to updating the plugin, site administrators should review their WordPress sites for any signs of unauthorized modifications or suspicious content that may indicate a successful exploitation of this vulnerability. As a precautionary measure, you may also consider using alternate plugins that offer similar functionality.

Previous Vulnerabilities

It is worth noting that the Image Optimization by Optimole plugin has had two previous vulnerabilities reported since March 2022. This highlights the importance of staying vigilant and keeping your plugins up to date to ensure the ongoing security of your WordPress installation.

The Importance of Staying Updated

As a small business owner with a WordPress website, it is crucial to understand that keeping your site secure is an ongoing process. Regularly updating your WordPress core, plugins, and themes is one of the most effective ways to protect your site from potential vulnerabilities.

We understand that managing a website alongside your business can be time-consuming, but neglecting security updates can have devastating consequences. By prioritizing regular updates and staying informed about potential vulnerabilities, you can significantly reduce the risk of your site falling victim to malicious attacks.

Consider setting aside dedicated time each month to review and update your WordPress installation, or engage the services of a professional WordPress maintenance and security provider to ensure your site remains secure and up to date.

In conclusion, the discovery of the CVE-2024-4636 vulnerability in the Image Optimization by Optimole plugin serves as a stark reminder of the importance of staying proactive in maintaining the security of your WordPress website. By taking swift action to update your plugins and remaining vigilant, you can protect your business, your users, and your online reputation from the ever-evolving landscape of cyber threats.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

Image Optimization by Optimole Vulnerability – Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload – CVE-2024-4636 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment