Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Vulnerability in EWWW Image Optimizer plugin. Severity 9.6 (Critical)

This entry was posted in Vulnerabilities, WordPress Security on June 9, 2016 by Dan Moen   8 Replies

We disclosed a critical remote code execution vulnerability in the EWWW Image Optimizer plugin to the author yesterday morning. He responded very quickly and published a fix this morning. The plugin is very popular with over 300,000 active installs, according to wordpress.org.

Wordfence Senior Developer Sean Murphy discovered the Remote Command Execution vulnerability which an attacker can exploit on multisite WordPress installations to gain complete control of a WordPress site. Sean is the same researcher who discovered the critical security hole in Freshdesk that affected thousands of Freshdesk corporate customers, which we announced last month.

The vulnerability can be exploited in a number of ways including creating a backdoor or taking a site down altogether. To learn more about what hackers do with compromised websites, check out our blog post from April.

Severity: 9.6 (Critical)


What to do

If you are running the Premium version of Wordfence and have the firewall enabled you are already protected. We added a firewall rule that protects against this vulnerability yesterday morning.

Free Wordfence users running the vulnerable version of the EWWW plugin should update to version 2.8.5 immediately. 

Did you enjoy this post? Share it!

8 Comments on "Vulnerability in EWWW Image Optimizer plugin. Severity 9.6 (Critical)"

roger June 9, 2016 at 11:12 am

did the update which was released today fix the the problem? thx roger

Dan Moen June 9, 2016 at 11:15 am

Hi Roger, yes it did. You can see it in the change log and we retested our proof of concept to confirm it. You'll want to upgrade to version 2.8.5 if you haven't already.

roger June 12, 2016 at 11:31 pm

Thank you!

Heather June 9, 2016 at 1:11 pm

Does this vulnerability affect only multi-site installs?

Or single installs?

I'm looking for a clarification on this statement: "... an attacker can exploit on multisite WordPress installations to gain complete control of a WordPress site. "

Thank you in advance for your response

mark June 9, 2016 at 1:24 pm

Yes, it's multi-site only.

Mitchell June 9, 2016 at 11:43 pm

That's good to know it's Multisite only. I have of course updated all sites this morning and have wordfence running on each one, great plugin.

My one concern is that EWWW should only be something running on the backed of a site, how is it ever exposed to people on the front end of a site?

Sean Powell June 9, 2016 at 3:59 pm

Looks like EWWWW updated their plugin earlier today, does that mean they have patched the exploit themselves now? Their changelog did not specify.


Jonathan Guy June 10, 2016 at 4:56 am

Thanks to Sean once again for his diligence! The digital world is a safer place whilst he's around.

Sounds like an idea we could sell to Marvel or DC :-)

Follow Us


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates