← Back

CVE-2024-10855

nvd nist
Published: Nov 20, 2024Modified: Nov 26, 2024

JSON object

Loading...
8.1
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Exploitability: 2.8 / Impact: 5.2
Source: security@wordfence.com (Secondary)

Description

The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to insufficient validation on the filename parameter of the sirv_upload_file_by_chunks() function and lack of in all versions up to, and including, 7.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users.

Affected (1)

Products: Sirv: Sirv
Sirv
1 product
Sirv
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Sirv
Before 7.3.1

Related CWEs

CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (3)

Source: security@wordfence.com
Patch
Source: security@wordfence.com
Product
Source: security@wordfence.com
Third Party Advisory

Timeline

No history available yet.