WordPress Plugin Vulnerabilities

reSmush.it Image Optimizer < 0.4.7 - Multiple CSRF

Description

The plugin does not perform CSRF checks for any of its AJAX actions, allowing an attackers to trick logged in users to perform various actions on their behalf on the site.

Proof of Concept

Affects Plugins

Plugin icon
resmushit-image-optimizer
Fixed in 0.4.7

References

CVE
CVE-2022-2449

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Raad Haddad of Cloudyrion GmbH
Submitter
Raad Haddad of Cloudyrion GmbH
Submitter twitter
raadfhaddad
Verified
Yes
WPVDB ID
6e42f26b-3403-4d55-99ad-2c8e2d76e537

Timeline

Publicly Published
2022-10-19 (about 3 years ago)
Added
2022-10-19 (about 3 years ago)
Last Updated
2022-10-26 (about 3 years ago)

Other

Published
Title
Published
2025-12-15
Title
Meks Quick Plugin Disabler <= 1.0 - Cross-Site Request Forgery
Published
2024-12-18
Title
Wayne Audio Player <= 1.0 - Cross-Site Request Forgery to Privilege Escalation
Published
2025-01-13
Title
Background Control <= 1.0.5 - Cross-Site Request Forgery to Arbitrary File Deletion
Published
2014-08-01
Title
LayerSlider 4.6.1 - Style Editing CSRF
Published
2022-10-17
Title
Easy Digital Downloads < 3.0 - Arbitrary Post Deletion via CSRF