WP Compress – Image Optimizer < 6.11.11 – Missing Authorization to Unauthenticated CDN Modification | CVE 2024-1934 | Plugin Vulnerabilities

Description

The WP Compress – Image Optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wps_local_compress::__construct' function in all versions up to, and including, 6.11.10. This makes it possible for unauthenticated attackers to reset the CDN region and set a malicious URL to deliver images.

Affects Plugins

wp-compress-image-optimizer

Fixed in 6.11.11

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/88a46a24-6d46-44cc-ac01-70a1c329cb51

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Verified

No

WPVDB ID

838b7c6b-0919-4c49-8691-0bc2dc4e4fd4

Timeline

Publicly Published

2024-03-21 (about 2 years ago)

Added

2024-03-21 (about 2 years ago)

Last Updated

2024-03-21 (about 2 years ago)

Other

Published

Title

Published

2025-01-15

Title

Widget Options < 4.0.9 - Missing Authorization to Notice Dismissal

Published

2025-01-14

Title

WpTravelly < 1.8.6 - Missing Authorization

Published

2024-02-26

Title

Thank You Page Customizer for WooCommerce – Increase Your Sales < 1.1.3 - Missing Authorization to Authenticated (Subscriber+) Data Export

Published

2023-11-22

Title

Super Progressive Web Apps < 2.2.22 - Missing Authorization

Published

2025-06-05

Title

Activity Plus Reloaded for BuddyPress <= 1.1.2 - Missing Authorization