vulnerability

WordPress Plugin: autoptimize: CVE-2021-24377: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:M/Au:N/C:P/I:P/A:P)	Oct 9, 2020	May 15, 2025	May 15, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:P/I:P/A:P)

Published

Oct 9, 2020

Added

May 15, 2025

Modified

May 15, 2025

Description

The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on the disk but not yet removed. It is a bypass of CVE-2020-24948.

Solution

autoptimize-plugin-cve-2021-24377

References

URL-https://www.cve.org/CVERecord?id=CVE-2021-24377
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/ef9a6ef5-368e-40df-9a17-2779e453dfcc?source=api-prod
CVE-2021-24377
https://attackerkb.com/topics/CVE-2021-24377

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today