Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN Vulnerability – Missing Authorization to Resmush List Deletion – CVE-2023-3352 | WordPress Plugin Vulnerability Report
Plugin Name: Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN
Key Information:
- Software Type: Plugin
- Software Slug: wp-smushit
- Software Status: Active
- Software Author: wpmudev
- Software Downloads: 54,994,090
- Active Installs: 1,000,000
- Last Updated: July 22, 2024
- Patched Versions: 3.16.5
- Affected Versions: <= 3.16.4
Vulnerability Details:
- Name: Smush – Lazy Load Images, Optimize & Compress Images <= 3.16.4
- Title: Missing Authorization to Resmush List Deletion
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- CVE: CVE-2023-3352
- CVSS Score: 4.3
- Publicly Published: June 20, 2024
- Researcher: Truoc Phan An Đặng
- Description: The Smush plugin for WordPress is vulnerable to unauthorized deletion of the resmush list due to a missing capability check on the
delete_resmush_list()
function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to delete the resmush list for Nextgen or the Media Library.
Summary:
The Smush Image Optimization plugin for WordPress has a vulnerability in versions up to and including 3.16.4 that allows unauthorized deletion of the resmush list due to a missing capability check on the delete_resmush_list()
function. This vulnerability has been patched in version 3.16.5.
Detailed Overview:
The vulnerability, identified by researcher Truoc Phan An Đặng, is due to a missing authorization check on the delete_resmush_list()
function within the Smush plugin. This flaw allows authenticated attackers with minimal permissions, such as a subscriber, to delete the resmush list for Nextgen or the Media Library. This poses a risk to the integrity of image optimization processes on affected websites. Users running versions up to 3.16.4 are at risk, and the remediation involved implementing a proper capability check to prevent unauthorized deletions.
Advice for Users:
Immediate Action: Users should update to version 3.16.5 immediately to mitigate this vulnerability.
Check for Signs of Vulnerability: Review your Media Library and Nextgen galleries for any missing or unexpected changes to the resmush list, as this may indicate compromise.
Alternate Plugins: While a patch is available, users might still consider alternative plugins that offer similar functionality as a precaution.
Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.
Conclusion:
The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 3.16.5 or later to secure their WordPress installations.
References:
Detailed Report:
In the fast-paced digital world, the security of your WordPress website is of utmost importance. One of the key components of maintaining a secure site is ensuring that all plugins are up to date. Recently, a vulnerability was discovered in the widely-used Smush Image Optimization plugin, which affects versions up to 3.16.4. This vulnerability, known as the "Missing Authorization to Resmush List Deletion" (CVE-2023-3352), allows authenticated users with minimal permissions to delete critical resmush lists.
Risks and Potential Impacts
The identified vulnerability allows authenticated attackers with minimal permissions to delete the resmush list used for image optimization. This could result in significant disruptions to your website's image optimization processes, leading to slower load times and a degraded user experience. For small businesses, such performance issues can deter potential customers, harm your brand's reputation, and ultimately impact your bottom line.
Remediation Steps
Immediate Action: Users should update to version 3.16.5 immediately to mitigate this vulnerability. The update includes a proper capability check to prevent unauthorized deletions.
Check for Signs of Vulnerability: Review your Media Library and Nextgen galleries for any missing or unexpected changes to the resmush list, as this may indicate compromise. Regular audits can help you identify and address issues early.
Alternate Plugins: While a patch is available, users might still consider alternative plugins that offer similar functionality as a precaution. Evaluate the security history and update frequency of potential alternatives to ensure they are reliable.
Stay Updated: Regularly update all plugins to their latest versions to avoid potential vulnerabilities. Enable automatic updates if possible and subscribe to security bulletins from trusted sources to stay informed about new vulnerabilities and patches.
Previous Vulnerabilities
The Smush plugin has had 4 previous vulnerabilities since September 21, 2017. This history highlights the importance of consistently monitoring and updating plugins to safeguard your website against newly discovered threats. Regular updates and prompt patching can significantly reduce the risk of exploitation.
Conclusion
The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Small business owners, who often juggle multiple responsibilities, must prioritize the security of their WordPress installations. Ensuring that all plugins are up-to-date and regularly monitoring for potential vulnerabilities are essential steps in protecting your online presence. Staying on top of security vulnerabilities is not just a technical necessity but a critical component of maintaining customer trust and business integrity.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.