WordPress Plugin Vulnerabilities

RapidLoad Power-Up for Autoptimize < 1.7.2 - Unauthorised AJAX Calls

Description

The plugin does not have authorisation and CSRF checks in various AJAX actions (such as deleting logs files etc), allowing them to be called by any authenticated users, such a subscriber or via CSRF attacks

Affects Plugins

Plugin icon
unusedcss
Fixed in 1.7.2

References

CVE
CVE-2023-1472
CVE
CVE-2023-1333
CVE
CVE-2023-1334
CVE
CVE-2023-1340
CVE
CVE-2023-1341
CVE
CVE-2023-1342
CVE
CVE-2023-1343
CVE
CVE-2023-1344
CVE
CVE-2023-1345
CVE
CVE-2023-1346
CVE
CVE-2023-1339
CVE
CVE-2023-1336
CVE
CVE-2023-1337
CVE
CVE-2023-1338
CVE
CVE-2023-1335

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
f95cb064-eef1-4210-bdf3-93661ca36f9c

Timeline

Publicly Published
2023-03-10 (about 2 years ago)
Added
2023-06-22 (about 2 years ago)
Last Updated
2023-06-22 (about 2 years ago)

Other

Published
Title
Published
2026-01-27
Title
Easy Replace Image < 3.5.3 - Missing Authorization to Authenticated (Contributor+) Arbitrary Attachment Replacement
Published
2025-04-01
Title
Automatic Featured Images from Videos < 1.2.5 - Missing Authorization
Published
2023-10-26
Title
Deeper Comments <= 2.1.1 - Subscriber+ Arbitrary Options Update
Published
2025-10-24
Title
ThemeRain Core <= 1.1.9 - Missing Authorization
Published
2025-12-30
Title
WpStream < 4.9.6 - Missing Authorization