WordPress Plugin Vulnerabilities

Autoptimize < 2.7.8 - Authenticated Stored XSS via File Upload

Description

The plugin does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute when a victim visits index.html inside the plugin directory.

Proof of Concept

Affects Plugins

Plugin icon
autoptimize
Fixed in 2.7.8

References

CVE
CVE-2021-24378

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Marcin Węgłowski
Submitter
Marcin Węgłowski
Submitter website
https://afine.pl
Submitter twitter
afinepl
Verified
No
WPVDB ID
375bd694-1a30-41af-bbd4-8a8ee54f0dbf

Timeline

Publicly Published
2020-10-09 (about 5 years ago)
Added
2021-06-07 (about 4 years ago)
Last Updated
2021-06-25 (about 4 years ago)

Other

Published
Title
Published
2025-03-17
Title
WP Email Delivery <= 1.20.11.23 - Reflected XSS
Published
2025-01-16
Title
Stars SMTP Mailer < 2.1.6 - Reflected Cross-Site Scripting
Published
2023-03-30
Title
PixFields <= 0.7.0 - Contributor+ Stored Cross-Site Scripting
Published
2025-08-18
Title
WPC Smart Compare for WooCommerce < 6.4.8 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Published
2025-04-01
Title
Nemesis All-in-One <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting