CVE-2024-10855: 
WordPress vulnerability analysis and mitigation

The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress (CVE-2024-10855) contains a vulnerability that allows unauthorized modification of data leading to denial of service. The vulnerability affects all versions up to and including 7.3.0, discovered and disclosed on November 20, 2024. The issue stems from insufficient validation on the filename parameter of the sirv_upload_file_by_chunks() function (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. The weakness is classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability allows authenticated attackers with Contributor-level access and above to delete arbitrary option values on WordPress sites (NVD).

When exploited, this vulnerability can be leveraged to delete option values on the WordPress site, which can create errors and effectively deny service to legitimate users. The impact primarily affects the availability and integrity of the system, while confidentiality remains unaffected as indicated by the CVSS metrics (NVD).

Users are advised to update to version 7.3.1 or later of the Image Optimizer, Resizer and CDN – Sirv plugin for WordPress, which contains fixes for this vulnerability (NVD).