CVE-2021-24430
📋 TL;DR
This vulnerability in the Speed Booster Pack WordPress plugin allows remote code execution (RCE) due to improper input validation. Attackers can inject malicious PHP code through plugin settings, which gets written to a PHP file and executed. WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Speed Booster Pack ⚡ PageSpeed Optimization Suite WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary code, install backdoors, steal data, deface websites, or pivot to internal networks.
Likely Case
Website defacement, data theft, malware installation, or cryptocurrency mining through compromised WordPress sites.
If Mitigated
No impact if plugin is patched or disabled; limited impact if proper web application firewalls and input validation are in place.
🎯 Exploit Status
Exploitation requires authenticated access to WordPress admin panel to modify plugin settings.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.0
Vendor Advisory: https://wordpress.org/plugins/speed-booster-pack/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Speed Booster Pack plugin. 4. Click 'Update Now' if available, or download version 4.2.0+ from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Speed Booster Pack plugin until patched
wp plugin deactivate speed-booster-pack
Web Application Firewall rule
allBlock requests containing PHP code injection patterns in plugin settings
🧯 If You Can't Patch
- Remove plugin entirely from WordPress installation
- Restrict admin panel access to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Speed Booster Pack → Version numberCheck Version:
wp plugin get speed-booster-pack --field=versionVerify Fix Applied:
Confirm plugin version is 4.2.0 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual PHP file creation/modification in plugin directories
- Admin user modifying Speed Booster Pack settings unexpectedly
- POST requests to wp-admin/admin.php with caching_exclude_urls parameter
Network Indicators:
- HTTP requests containing PHP code in POST parameters
- Unusual outbound connections from web server after plugin settings changes
SIEM Query:
source="wordpress.log" AND "caching_exclude_urls" AND ("eval(" OR "system(" OR "exec(")🔗 References
- https://m0ze.ru/vulnerability/%5B2021-05-10%5D-%5BWordPress%5D-%5BCWE-94%5D-Speed-Booster-Pack-WordPress-Plugin-v4.2.0-beta.txt
- https://wpscan.com/vulnerability/945d6d2e-fa25-42c0-a7b4-b1794732a0df
- https://m0ze.ru/vulnerability/%5B2021-05-10%5D-%5BWordPress%5D-%5BCWE-94%5D-Speed-Booster-Pack-WordPress-Plugin-v4.2.0-beta.txt
- https://wpscan.com/vulnerability/945d6d2e-fa25-42c0-a7b4-b1794732a0df
