CVE-2023-6699
📋 TL;DR
The WP Compress Image Optimizer WordPress plugin contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files on the server via the css parameter. This affects all versions up to 6.10.33, potentially exposing sensitive configuration files, credentials, and other confidential data. Any WordPress site using the vulnerable plugin is at risk.
💻 Affected Systems
- WP Compress - Image Optimizer [All-In-One] WordPress plugin
📦 What is this software?
Wp Compress by Wpcompress
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to sensitive files like wp-config.php containing database credentials, server configuration files, or other confidential data, leading to complete site compromise.
Likely Case
Attackers exfiltrate sensitive configuration files, potentially obtaining database credentials and gaining administrative access to the WordPress site.
If Mitigated
Limited exposure of non-sensitive files if proper file permissions and web server configurations restrict access to critical system files.
🎯 Exploit Status
The vulnerability requires no authentication and exploitation is straightforward via crafted HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.10.34 and later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Compress Image Optimizer. 4. Click 'Update Now' if available. 5. Alternatively, download version 6.10.34+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the WP Compress plugin until patched
wp plugin deactivate wp-compress-image-optimizer
Web server path restriction
allConfigure web server to block directory traversal attempts
# Apache: Add to .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} \.\./ [NC]
RewriteRule .* - [F,L]
</IfModule>
# Nginx: Add to server block
if ($query_string ~* "\.\./") {
return 403;
}
🧯 If You Can't Patch
- Immediately disable the WP Compress plugin via WordPress admin or command line
- Implement web application firewall rules to block directory traversal patterns in requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for WP Compress version. If version is 6.10.33 or lower, site is vulnerable.Check Version:
wp plugin get wp-compress-image-optimizer --field=versionVerify Fix Applied:
Verify plugin version is 6.10.34 or higher in WordPress admin panel. Test with directory traversal attempts should return proper errors.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' or directory traversal patterns in query strings
- Unusual file access attempts to sensitive paths like wp-config.php, .env, etc.
Network Indicators:
- HTTP GET requests with css parameter containing path traversal sequences
- Requests to plugin endpoints with abnormal parameter values
SIEM Query:
source="web_logs" AND (uri_path="*wp-content/plugins/wp-compress*" AND query_string="*css=*../*")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3009183%40wp-compress-image-optimizer%2Ftrunk&old=2994665%40wp-compress-image-optimizer%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/defb87dd-bf5f-411f-b948-699337d05d44?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3009183%40wp-compress-image-optimizer%2Ftrunk&old=2994665%40wp-compress-image-optimizer%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/defb87dd-bf5f-411f-b948-699337d05d44?source=cve
