4.3

CVE-2023-1335

RapidLoad Power-Up for Autoptimize <= 1.7.1 - Missing Authorization in 'ucss_connect'

RapidLoad Power-Up for Autoptimize <= 1.7.1 - Missing Authorization in 'ucss_connect'

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the ucss_connect function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to connect a new license key to the site.
Mögliche Gegenmaßnahme
RapidLoad AI – Optimize Web Vitals Automatically: Update to version 1.7.2, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RapidloadRapidload Power-up For Autoptimize SwPlatformwordpress Version <= 1.7.1
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt RapidLoad AI – Optimize Web Vitals Automatically
Version *-1.7.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.55% 0.415
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
security@wordfence.com 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://plugins.trac.wordpress.org/changeset/2877726/unusedcss/trunk/includes/modules/unused-css/UnusedCSS_Admin.php?contextall=1&old=2847136&old_path=%2Funusedcss%2Ftrunk%2Fincludes%2Fmodules%2Funused-css%2FUnusedCSS_Admin.php
Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/eba48c51-87d9-4e7e-b4c1-0205cd96d033
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/eba48c51-87d9-4e7e-b4c1-0205cd96d033?source=cve
https://www.wordfence.com/threat-intel/vulnerabilities/id/eba48c51-87d9-4e7e-b4c1-0205cd96d033
Third Party Advisory