WordPress Plugin Vulnerabilities

RapidLoad Power-Up for Autoptimize < 1.7.2 - Multiple Subscriber+ Unauthorised AJAX Calls

Description

The plugin does not have authorisation and CSRF checks in multiple AJAX actions, which could allow users with a role as low as subscriber (or an attacker making any authenticated user open a malicious page) to call them and modify the plugins cache, add a new license, delete logs files, update cache rules etc.

Affects Plugins

Plugin icon
unusedcss
Fixed in 1.7.2

References

CVE
CVE-2023-1472
CVE
CVE-2023-1333
CVE
CVE-2023-1334
CVE
CVE-2023-1335
CVE
CVE-2023-1336
CVE
CVE-2023-1337
CVE
CVE-2023-1338
CVE
CVE-2023-1339
CVE
CVE-2023-1340
CVE
CVE-2023-1341
CVE
CVE-2023-1342
CVE
CVE-2023-1343
CVE
CVE-2023-1344
CVE
CVE-2023-1345
CVE
CVE-2023-1346

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
61001db3-6183-43b3-976c-06c2d7991683

Timeline

Publicly Published
2023-03-10 (about 3 years ago)
Added
2023-03-13 (about 3 years ago)
Last Updated
2023-03-17 (about 3 years ago)

Other

Published
Title
Published
2026-02-18
Title
Book Landing Page < 1.2.8 - Missing Authorization
Published
2024-11-11
Title
Matix Popup Builder <= 1.0.0 - Unauthenticated Arbitrary Options Update
Published
2025-02-17
Title
Team Builder – Meet the Team <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2025-04-01
Title
WordPress Adverts Plugin <= 1.4 - Missing Authorization
Published
2026-01-06
Title
Better Business Reviews < 0.1.2 - Missing Authorization