CVE-2024-8480 HIGH

CVE-2024-8480: Image Optimizer, Resizer and CDN – Sirv <= 7.2.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Upload

Vendor Sirv
Product Image Optimizer, Resizer and CDN – Sirv
Weakness CWE-862 · Missing authorization
Published September 6, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'sirv_save_prevented_sizes' function in all versions up to, and including, 7.2.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to exploit the 'sirv_upload_file_by_chunks_callback' function, which lacks proper file type validation, allowing attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Key dates

02Disclosure timeline

September 6, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-31098 WordPress New Order Notification for Woocommerce plugin <= 2.0.2 - Broken Access Control vulnerability CVE-2026-45350 Open WebUI: Chat completion API allows tool restrictions to be bypassed CVE-2026-30889 Discourse has Unauthorized Post Data Exposure in discourse-user-notes CVE-2024-31230 WordPress ShortPixel Adaptive Images plugin <= 3.8.2 - Broken Access Control vulnerability CVE-2026-24543 WordPress Materialis Companion plugin <= 1.3.52 - Broken Access Control vulnerability