Headline
CVE-2020-36750: Changeset 2417429 for ewww-image-optimizer/trunk/classes/class-ewww-nextgen.php – WordPress Plugin Repository
The EWWW Image Optimizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.8.1. This is due to missing or incorrect nonce validation on the ewww_ngg_bulk_init() function. This makes it possible for unauthenticated attackers to perform bulk image optimization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Timestamp:
11/12/2020 06:56:01 PM (3 years ago)
nosilver4u
Message:
releasing 5.8.2
File:
- ewww-image-optimizer/trunk/classes/class-ewww-nextgen.php (1 diff)
Legend:
Unmodified
Added
Removed
ewww-image-optimizer/trunk/classes/class-ewww-nextgen.php
r2403376
r2417429
856
856
$permissions = apply\_filters( 'ewww\_image\_optimizer\_bulk\_permissions', '' );
857
857
$output = array();
858
if ( empty( $\_REQUEST\['ewww\_wpnonce'\] ) && ! wp\_verify\_nonce( sanitize\_key( $\_REQUEST\['ewww\_wpnonce'\] ), 'ewww-image-optimizer-bulk' ) || ! current\_user\_can( $permissions ) ) {
858
if ( empty( $\_REQUEST\['ewww\_wpnonce'\] ) || ! wp\_verify\_nonce( sanitize\_key( $\_REQUEST\['ewww\_wpnonce'\] ), 'ewww-image-optimizer-bulk' ) || ! current\_user\_can( $permissions ) ) {
859
859
$output\['error'\] = esc\_html\_\_( 'Access denied.', 'ewww-image-optimizer' );
860
860
ewwwio\_ob\_clean();
Note: See TracChangeset for help on using the changeset viewer.