CVE-2023-0619 – Kraken.io Image Optimizer <= 2.6.8 - Missing Authorization to Authenticated (Subscriber+) Plugin Options Update
https://notcve.org/view.php?id=CVE-2023-0619
01 Feb 2023 — The Kraken.io Image Optimizer plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 2.6.8. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to reset image optimizations. • https://plugins.trac.wordpress.org/browser/kraken-image-optimizer/tags/2.6.6/kraken.php#L705 • CWE-862: Missing Authorization •
CVE-2022-38454 – WordPress Kraken.io Image Optimizer plugin <= 2.6.5 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-38454
23 Sep 2022 — Cross-Site Request Forgery (CSRF) vulnerability in Kraken.io Image Optimizer plugin <= 2.6.5 at WordPress. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en el plugin Kraken.io Image Optimizer versiones anteriores a 2.6.5 incluyéndola en WordPress. The Kraken.io Image Optimizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.6.5. This is due to missing nonce validation on the kraken_settings_page() function. This makes it possible for unauth... • https://patchstack.com/database/vulnerability/kraken-image-optimizer/wordpress-kraken-io-image-optimizer-plugin-2-6-5-cross-site-request-forgery-csrf-vulnerability/_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •