vulnerability

WordPress Plugin: images-optimize-and-upload-cf7: CVE-2022-4101: Missing Authorization

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
9	(AV:N/AC:L/Au:N/C:N/I:C/A:C)	Dec 21, 2022	Jun 3, 2025	Jun 3, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:C/A:C)

Published

Dec 21, 2022

Added

Jun 3, 2025

Modified

Jun 3, 2025

Description

The Images Optimize and Upload CF7 plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the yr_api_delete AJAX action available to unprivileged users in versions up to, and including, 2.1.4. This makes it possible for unauthenticated attackers to delete arbitrary files. This could be used to delete the wp-config.php file that would make complete site takeover relatively simple for an attacker.

Solution

images-optimize-and-upload-cf7-plugin-cve-2022-4101

References

URL-https://www.cve.org/CVERecord?id=CVE-2022-4101
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/d8fb20fb-a795-4ab0-9614-6ae6ac4f2eda?source=api-prod
CVE-2022-4101
https://attackerkb.com/topics/CVE-2022-4101

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today