CVE-2024-4636

Description

The Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘allow_meme_types’ function in versions up to, and including, 3.12.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PUBLISHED Reserved 2024-05-07 | Published 2024-05-15 | Updated 2024-08-01 | Assigner Wordfence

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Timeline

Credits

wesley finder

References

www.wordfence.com/...-fc84-442d-bb34-834ad9f4465b?source=cve

plugins.trac.wordpress.org/...-wp/tags/3.12.10/inc/admin.php

plugins.trac.wordpress.org/changeset/3086306/

cve.org (CVE-2024-4636)

nvd.nist.gov (CVE-2024-4636)

Download JSON