WordPress Plugin Vulnerabilities

WP Compress – Image Optimizer [All-In-One] < 6.20.02 - Missing Authorization

Description

The WP Compress – Image Optimizer [All-In-One] plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the several functions in versions up to, and including, 6.20.01. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit plugin settings, including storing cross-site scripting, in multisite environments.

Affects Plugins

Plugin icon
wp-compress-image-optimizer
Fixed in 6.20.02

References

CVE
CVE-2024-4445
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/830f53a4-da3b-4a95-99f1-c4a4c8e6944c

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
dd5ab145-5071-4e38-acc3-3fd4939daa74

Timeline

Publicly Published
2024-05-13 (about 2 years ago)
Added
2024-05-13 (about 2 years ago)
Last Updated
2024-05-13 (about 2 years ago)

Other

Published
Title
Published
2025-01-16
Title
Debug Tool <= 2.2 - Missing Authorization
Published
2025-12-22
Title
TS Poll < 2.6.0 - Missing Authorization
Published
2022-05-23
Title
Like Button Rating < 2.6.45 - Arbitrary e-mail Sending
Published
2024-10-21
Title
HD Quiz – Save Results Light < 0.6 - Missing Authorization
Published
2025-11-14
Title
Social Ninja < 3.20.2 - Missing Authorization