Yesterday the security team at Wordfence disclosed a critical remote code execution vulnerability in the EWWW Image Optimizer to Shane Bishiop, the plugin’s author. Bishop acted quickly to patch the plugin and an update was pushed out to WordPress.org users this morning.
According to Wordfence, the vulnerability affects multisite WordPress installations, allowing an attacker to gain complete control of a site by creating a backdoor or taking the site down altogether. The company’s security team rated the severity of the vulnerability as 9.6 using the Common Vulnerability Scoring System.
EWWW Image Optimizer is a popular plugin for reducing image sizes and is compatible with several widely used gallery plugins, such as NextGEN and FooGallery. The plugin was first published to WordPress.org in 2012 after Bishop decided to fork CW Image Optimizer. Over the past four years it has gained popularity with features like support for generating WebP images, bulk optimization, and WP-CLI support.
EWWW Image Optimizer is active on more than 300,000 WordPress sites. It’s easy to see why it has a 4.5/5 star rating on WordPress.org, as Bishop is active in support, with the majority of threads opened in the last month having been marked as resolved. His quick work on patching this vulnerability should reassure users of his commitment to maintaining the plugin. Users who have EWWW Image Optimizer installed are advised to update to version 2.8.5, which contains the fix for the vulnerability.
Not only does this plugin work really well, reliably optimizing JPGs, GIFs, and PNGs as they’re uploaded to the WP Media library, the author, Shane Bishop, is a pleasure to work with. He’s helped me out on several occasions, explaining the plugin’s behavior and working to improve the plugin’s settings interface.
Thanks to Wordfence for finding and disclosing the vulnerability and to Shane for patching it up overnight.