CVE-2021-24377
HIGHAutoptimize < 2.7.8 - Remote Code Execution via Import Settings Race Condition
Title source: llmDescription
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on the disk but not yet removed. It is a bypass of CVE-2020-24948.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://wpscan.com/vulnerability/85c0a564-2e56-413d-bc3a-1039343207e4
Scores
CVSS v3
8.1
EPSS
0.0118
EPSS Percentile
63.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-362
Status
published
Products (1)
autoptimize/autoptimize
< 2.7.8
Published
Jun 21, 2021
Tracked Since
Feb 18, 2026