CVE-2023-3352: 
WordPress vulnerability analysis and mitigation

The Smush plugin for WordPress (CVE-2023-3352) is vulnerable to unauthorized deletion of the resmush list due to a missing capability check on the deleteresmushlist() function. This vulnerability was disclosed on June 20, 2024, affecting the Smush WordPress plugin. The vulnerability allows authenticated attackers with minimal permissions, such as subscribers, to delete the resmush list for Nextgen or the Media Library (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability stems from a missing capability check in the deleteresmushlist() function, which allows users with minimal permissions to perform unauthorized deletions (NVD).

When exploited, this vulnerability allows authenticated attackers with minimal privileges (such as subscriber-level access) to delete the resmush list for both Nextgen and the Media Library. This can affect the image optimization functionality of the WordPress site (NVD).

A fix has been implemented in the WordPress plugin repository as evidenced by the changelog. Users are advised to update to the latest version of the Smush plugin to address this vulnerability (WordPress Plugin).