Vulnerability in EWWW Image Optimizer plugin. Severity 9.6 (Critical)

We disclosed a critical remote code execution vulnerability in the EWWW Image Optimizer plugin to the author yesterday morning. He responded very quickly and published a fix this morning. The plugin is very popular with over 300,000 active installs, according to

Wordfence Senior Developer Sean Murphy discovered the Remote Command Execution vulnerability which an attacker can exploit on multisite WordPress installations to gain complete control of a WordPress site. Sean is the same researcher who discovered the critical security hole in Freshdesk that affected thousands of Freshdesk corporate customers, which we announced last month.

The vulnerability can be exploited in a number of ways including creating a backdoor or taking a site down altogether. To learn more about what hackers do with compromised websites, check out our blog post from April.

Severity: 9.6 (Critical)


What to do

If you are running the Premium version of Wordfence and have the firewall enabled you are already protected. We added a firewall rule that protects against this vulnerability yesterday morning.

Free Wordfence users running the vulnerable version of the EWWW plugin should update to version 2.8.5 immediately. 

Did you enjoy this post? Share it!


  • did the update which was released today fix the the problem? thx roger

    • Hi Roger, yes it did. You can see it in the change log and we retested our proof of concept to confirm it. You'll want to upgrade to version 2.8.5 if you haven't already.

      • Thank you!

  • Does this vulnerability affect only multi-site installs?

    Or single installs?

    I'm looking for a clarification on this statement: "... an attacker can exploit on multisite WordPress installations to gain complete control of a WordPress site. "

    Thank you in advance for your response

    • Yes, it's multi-site only.

      • That's good to know it's Multisite only. I have of course updated all sites this morning and have wordfence running on each one, great plugin.

        My one concern is that EWWW should only be something running on the backed of a site, how is it ever exposed to people on the front end of a site?

  • Looks like EWWWW updated their plugin earlier today, does that mean they have patched the exploit themselves now? Their changelog did not specify.


  • Thanks to Sean once again for his diligence! The digital world is a safer place whilst he's around.

    Sounds like an idea we could sell to Marvel or DC :-)