CVE-2023-6699: 
WordPress vulnerability analysis and mitigation

The WP Compress – Image Optimizer [All-In-One] WordPress plugin (CVE-2023-6699) contains a Directory Traversal vulnerability affecting all versions up to and including 6.10.33. This security issue was discovered by Krzysztof Zając and was publicly disclosed on January 3, 2024 (WPScan, NIST).

The vulnerability exists in the css parameter functionality of the plugin, which allows unauthenticated attackers to perform directory traversal attacks. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NIST and 9.1 (CRITICAL) by Wordfence, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NIST).

This vulnerability allows unauthenticated attackers to read the contents of arbitrary files on the server, potentially exposing sensitive information. The high severity rating indicates significant potential impact on system confidentiality (NIST).

The vulnerability has been fixed in version 6.10.34 of the WP Compress – Image Optimizer plugin. Users are strongly advised to update to this version or later to protect their systems (WPScan).