Image Optimization by Optimole Vulnerability – Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload – CVE-2024-4636 | WordPress Plugin Vulnerability Report
Plugin Name: Image Optimization by Optimole
Key Information:
- Software Type: Plugin
- Software Slug: optimole-wp
- Software Status: Active
- Software Author: optimole
- Software Downloads: 4,855,287
- Active Installs: 200,000
- Last Updated: May 14, 2024
- Patched Versions: 3.13.0
- Affected Versions: <= 3.12.10
Vulnerability Details:
- Name: Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF <= 3.12.10 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2024-4636
- CVSS Score: 6.4 (Medium)
- Publicly Published: May 14, 2024
- Researcher: wesley (wcraft)
- Description: The Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'allow_meme_types' function in versions up to, and including, 3.12.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Image Optimization by Optimole plugin for WordPress has a vulnerability in versions up to and including 3.12.10 that allows authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability has been patched in version 3.13.0.
Detailed Overview:
The vulnerability was discovered by researcher wesley (wcraft) and has been assigned the CVE identifier CVE-2024-4636. It is categorized as an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability with a CVSS score of 6.4 (Medium). The vulnerability exists in the 'allow_meme_types' function of the plugin, which fails to properly sanitize and escape user input, allowing attackers to inject malicious scripts.
Exploitation of this vulnerability could lead to various security risks, including unauthorized access to sensitive user information, session hijacking, and the injection of malicious content on affected WordPress sites.
To remediate this vulnerability, users should update the Image Optimization by Optimole plugin to version 3.13.0 or later, which includes a patch addressing the issue.
Advice for Users:
- Immediate Action: Users are strongly encouraged to update the Image Optimization by Optimole plugin to version 3.13.0 or later to ensure their WordPress installations are not vulnerable to this Cross-Site Scripting attack.
- Check for Signs of Vulnerability: Site administrators should review their WordPress sites for any signs of unauthorized modifications or suspicious content that may indicate a successful exploitation of this vulnerability.
- Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
- Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.
The prompt response from the Optimole developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 3.13.0 or later of the Image Optimization by Optimole plugin to secure their WordPress installations.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/optimole-wp
Detailed Report:
Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.
Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.