CVE-2024-4445

MEDIUM EPSS 26.1%

Published May 14, 20242y ago · Modified Jun 17, 20261w ago

4.3 CVSS 3.1

Medium

Published May 14, 2024 2y ago

Last Modified Jun 17, 2026 1w ago

Description

The WP Compress – Image Optimizer [All-In-One] plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the several functions in versions up to, and including, 6.20.01. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit plugin settings, including storing cross-site scripting, in multisite environments.

CVSS Details

Base Score

4.3

Exploitability

2.8

Impact

1.4

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality None

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

26.1% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 2

CWE-601

CWE-862 Missing Authorization Authorization

Affected Products 1

Vendor	Product	Version	Range
wpcompress	wp_compress	*	<6.20.02

References 3

plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/wp-compress-image-optimizer/trunk/classes/mu.class.php?rev=2946135

Product
plugins.trac.wordpress.org https://plugins.trac.wordpress.org/changeset/3082085/#file655

Patch
wordfence.com https://www.wordfence.com/threat-intel/vulnerabilities/id/830f53a4-da3b-4a95-99f1-c4a4c8e6944c?source=cve

Third Party Advisory

Remediation

plugins.trac.wordpress.org https://plugins.trac.wordpress.org/changeset/3082085/#file655

Patch