CVE-2023-40600

MEDIUM EXPLOITED NUCLEI

EWWW Image Optimizer <7.2.0 - Info Disclosure

Title source: llm

Exploitation Summary

CVE-2023-40600 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including RandomRobbieBF. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository provides a functional proof-of-concept for CVE-2023-40600, an unauthenticated sensitive information exposure vulnerability in the EWWW Image Optimizer WordPress plugin. The PoC demonstrates accessing the debug log file directly via a predictable path, exposing sensitive data when debug logging is enabled.

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Exactly WWW EWWW Image Optimizer. It works only when debug.log is turned on.This issue affects EWWW Image Optimizer: from n/a through 7.2.0.

Exploits (1)

nomisec WORKING POC

by RandomRobbieBF · infoleak

https://github.com/RandomRobbieBF/CVE-2023-40600

View Code ZIP pw:eip

The repository provides a functional proof-of-concept for CVE-2023-40600, an unauthenticated sensitive information exposure vulnerability in the EWWW Image Optimizer WordPress plugin. The PoC demonstrates accessing the debug log file directly via a predictable path, exposing sensitive data when debug logging is enabled.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: EWWW Image Optimizer <= 7.2.0

No auth needed

Prerequisites: Debug logging must be enabled in the plugin

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

EWWW Image Optimizer <= 7.2.0 - Unauthenticated Information Disclosure

MEDIUMVERIFIEDby Shivam Kamboj

References (1)

Core 1

Core References

Third Party Advisory vdb-entry

https://patchstack.com/database/vulnerability/ewww-image-optimizer/wordpress-ewww-image-optimizer-plugin-7-2-0-sensitive-data-exposure-vulnerability?_s_id=cve

Scores

CVSS v3 5.3

EPSS 0.0204

EPSS Percentile 78.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2026-03-31

CWE

CWE-200

Status published

Products (2)

ewww/image_optimizer < 7.2.1

Exactly WWW/EWWW Image Optimizer < 7.2.0

Published Nov 30, 2023

Tracked Since Feb 18, 2026