What the vulnerability does
01Description
Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
What the vulnerability does
Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions.
Explanation of Vulnerability in Simple Terms
ShortPixel Image Optimizer versions up to 6.4.3 contain a deserialization flaw that allows authenticated administrators to execute arbitrary PHP code on the site. An attacker with admin access can craft malicious serialized data that, when processed by the plugin, runs their own code with full site privileges. This requires high-level access but poses a complete compromise risk.
What an attacker can do
Run arbitrary PHP code on the site with administrator privileges.
Potential impact on your site
A compromised admin account can fully compromise your site, including data theft, malware injection, and site takeover.
Conditions required to exploit
Attacker must have administrator-level access to the WordPress site.
Key dates
External resources
Related vulnerabilities