Image Optimizer, Resizer and CDN – Sirv <= 7.2.0 - Missing Authorization

Wordfence Intelligence   >   Vulnerability Database   >   Image Optimizer, Resizer and CDN – Sirv <= 7.2.0 - Missing Authorization
4.3
Missing Authorization
CVE CVE-2024-27950
CVSS 4.3 (Medium)
Publicly Published March 1, 2024
Last Updated March 4, 2024
Researcher CatFather

Description

The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including 7.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions.

References

Share

Vulnerability Details for Image Optimizer, Resizer and CDN – Sirv

Image Optimizer, Resizer and CDN – Sirv

Software Type Plugin
Software Slug sirv (view on wordpress.org)
Patched? Yes
Remediation Update to version 7.2.1, or a newer patched version
Affected Version
  • <= 7.2.0
Patched Version
  • 7.2.1

Recent vulnerabilities in Image Optimizer, Resizer and CDN – Sirv

Sirv <= 7.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
6.4
CVE-2025-46233
Apr 22, 2025
Researcher: Trương Hữu Phúc (truonghuuphuc)
Image Optimizer, Resizer and CDN – Sirv <= 7.3.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Option Deletion
8.1
CVE-2024-10855
Nov 19, 2024
Researcher: Arkadiusz Hydzik
Image Optimizer, Resizer and CDN – Sirv <= 7.2.9 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
6.4
CVE-2024-8964
Oct 7, 2024
Researcher: Francesco Carlucci
Image Optimizer, Resizer and CDN – Sirv <= 7.2.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Upload
8.8
CVE-2024-8480
Aug 21, 2024
Researcher: scottaglia
Image Optimizer, Resizer and CDN – Sirv <= 7.2.7 - Authenticated(Subscriber+) Missing Authorization to Plugin Settings Update
5.4
CVE-2024-6392
Jul 11, 2024
Researcher: Rafshanzani Suhada
Image Optimizer, Resizer and CDN – Sirv <= 7.2.6 - Authenticated (Contributor+) Arbitrary File Upload
9.9
CVE-2024-5853
Jun 18, 2024
Researcher: Lucio Sá
Sirv <= 7.2.2 - Missing Authorization to Arbitrary Options Update
9.8
CVE-2024-32959
Apr 23, 2024
Researcher: Emili Castells
Image Optimizer, Resizer and CDN – Sirv <= 7.2.0 - Authenticated (Subscriber+) Server-Side Request Forgery
6.4
CVE-2024-27949
Mar 1, 2024
Researcher: CatFather
Sirv <= 7.1.2 - Missing Authorization via sirv_disconnect
4.3
CVE-2023-50898
Dec 26, 2023
Researcher: Abdi Pranata
Image Optimizer, Resizer and CDN – Sirv <= 6.8.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
5.5
CVE-2022-4119
Dec 9, 2022
Researcher: iohex
# Title CVE ID CVSS Researchers Date
1 Sirv <= 7.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-46233 6.4 Trương Hữu Phúc (truonghuuphuc) April 22, 2025
2 Image Optimizer, Resizer and CDN – Sirv <= 7.3.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Option Deletion CVE-2024-10855 8.1 Arkadiusz Hydzik November 19, 2024
3 Image Optimizer, Resizer and CDN – Sirv <= 7.2.9 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload CVE-2024-8964 6.4 Francesco Carlucci October 7, 2024
4 Image Optimizer, Resizer and CDN – Sirv <= 7.2.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Upload CVE-2024-8480 8.8 scottaglia August 21, 2024
5 Image Optimizer, Resizer and CDN – Sirv <= 7.2.7 - Authenticated(Subscriber+) Missing Authorization to Plugin Settings Update CVE-2024-6392 5.4 Rafshanzani Suhada July 11, 2024
6 Image Optimizer, Resizer and CDN – Sirv <= 7.2.6 - Authenticated (Contributor+) Arbitrary File Upload CVE-2024-5853 9.9 Lucio Sá June 18, 2024
7 Sirv <= 7.2.2 - Missing Authorization to Arbitrary Options Update CVE-2024-32959 9.8 Emili Castells April 23, 2024
8 Image Optimizer, Resizer and CDN – Sirv <= 7.2.0 - Authenticated (Subscriber+) Server-Side Request Forgery CVE-2024-27949 6.4 CatFather March 1, 2024
9 Sirv <= 7.1.2 - Missing Authorization via sirv_disconnect CVE-2023-50898 4.3 Abdi Pranata December 26, 2023
10 Image Optimizer, Resizer and CDN – Sirv <= 6.8.0 - Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2022-4119 5.5 iohex December 9, 2022
View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

Copyright 2012-2026 Defiant Inc.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

Copyright 1999-2026 The MITRE Corporation

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation