Wordfence Author
June 9, 2016

Vulnerability in EWWW Image Optimizer plugin. Severity 9.6 (Critical)

We disclosed a critical remote code execution vulnerability in the EWWW Image Optimizer plugin to the author yesterday morning. He responded very quickly and published a fix this morning. The plugin is very popular with over 300,000 active installs, according to wordpress.org.

Wordfence Senior Developer Sean Murphy discovered the Remote Command Execution vulnerability which an attacker can exploit on multisite WordPress installations to gain complete control of a WordPress site. Sean is the same researcher who discovered the critical security hole in Freshdesk that affected thousands of Freshdesk corporate customers, which we announced last month.

The vulnerability can be exploited in a number of ways including creating a backdoor or taking a site down altogether. To learn more about what hackers do with compromised websites, check out our blog post from April.

Severity: 9.6 (Critical)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What to do

If you are running the Premium version of Wordfence and have the firewall enabled you are already protected. We added a firewall rule that protects against this vulnerability yesterday morning.

Free Wordfence users running the vulnerable version of the EWWW plugin should update to version 2.8.5 immediately. 

Did you enjoy this post? Share it!

LinkedIn 

Comments

8 Comments
  • roger
    June 9, 2016
    11:12 am

    did the update which was released today fix the the problem? thx roger

    • Dan Moen
      June 9, 2016
      11:15 am

      Hi Roger, yes it did. You can see it in the change log and we retested our proof of concept to confirm it. You'll want to upgrade to version 2.8.5 if you haven't already.

      • roger
        June 12, 2016
        11:31 pm

        Thank you!

  • Heather
    June 9, 2016
    1:11 pm

    Does this vulnerability affect only multi-site installs?

    Or single installs?

    I'm looking for a clarification on this statement: "... an attacker can exploit on multisite WordPress installations to gain complete control of a WordPress site. "

    Thank you in advance for your response

    • mark
      June 9, 2016
      1:24 pm

      Yes, it's multi-site only.

      • Mitchell
        June 9, 2016
        11:43 pm

        That's good to know it's Multisite only. I have of course updated all sites this morning and have wordfence running on each one, great plugin.

        My one concern is that EWWW should only be something running on the backed of a site, how is it ever exposed to people on the front end of a site?

  • Sean Powell
    June 9, 2016
    3:59 pm

    Looks like EWWWW updated their plugin earlier today, does that mean they have patched the exploit themselves now? Their changelog did not specify.

    Thanks

  • Jonathan Guy
    June 10, 2016
    4:56 am

    Thanks to Sean once again for his diligence! The digital world is a safer place whilst he's around.

    Sounds like an idea we could sell to Marvel or DC :-)

Breaking WordPress Security Research in your inbox as it happens.

Example of a news story

This site uses cookies in accordance with our Privacy Policy.