CVE-2024-6392

Image Optimizer, Resizer and CDN – Sirv <= 7.2.7 - Authenticated(Subscriber+) Missing Authorization to Plugin Settings Update

CVSS 5.4 MEDIUMEPSS 0.3%CWE-862

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 5.4EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

11 jul 2024Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to unauthorized plugin settings modification due to missing capability checks on the plugin functions in all versions up to, and including, 7.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the connected Sirv account to an attacker-controlled one.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Productos afectados

sirv · Image Optimizer, Resizer and CDN – Sirv

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://plugins.trac.wordpress.org/browser/sirv/tags/7.2.6/sirv.php#L5197 https://plugins.trac.wordpress.org/browser/sirv/tags/7.2.6/sirv.php#L5338 https://www.wordfence.com/threat-intel/vulnerabilities/id/229490c3-d820-4831-b105-a429512c2c60?source=cve