CVE-2023-1336
📋 TL;DR
The RapidLoad Power-Up for Autoptimize WordPress plugin versions up to 1.7.1 contain a missing capability check in the ajax_deactivate function, allowing authenticated attackers with subscriber-level permissions to disable caching functionality. This vulnerability affects WordPress sites using the vulnerable plugin version.
💻 Affected Systems
- RapidLoad Power-Up for Autoptimize WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could disable caching across the entire WordPress site, potentially causing performance degradation, increased server load, and denial of service through resource exhaustion.
Likely Case
Malicious users with subscriber accounts could disrupt site performance by disabling caching, leading to slower page loads and increased server resource usage.
If Mitigated
With proper user role management and plugin updates, impact is limited to temporary performance issues that can be quickly restored.
🎯 Exploit Status
Exploitation requires authenticated access with subscriber privileges. The vulnerability is simple to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.2 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2877726/unusedcss/trunk/includes/modules/unused-css/UnusedCSS_Admin.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'RapidLoad Power-Up for Autoptimize'. 4. Click 'Update Now' if available, or download version 1.7.2+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched version is available
wp plugin deactivate rapidload-power-up-for-autoptimize
Restrict Subscriber Access
allTemporarily disable subscriber accounts or restrict their capabilities
🧯 If You Can't Patch
- Remove subscriber role from untrusted users or disable user registration
- Implement web application firewall rules to block ajax_deactivate requests from non-admin users
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → RapidLoad Power-Up for Autoptimize → Version. If version is 1.7.1 or lower, you are vulnerable.Check Version:
wp plugin get rapidload-power-up-for-autoptimize --field=versionVerify Fix Applied:
After updating, verify plugin version is 1.7.2 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=rapidload_deactivate from non-admin users
- Plugin deactivation events in WordPress logs from subscriber accounts
Network Indicators:
- HTTP POST requests containing 'action=rapidload_deactivate' from non-privileged user agents
SIEM Query:
source="wordpress.log" AND "rapidload_deactivate" AND user_role="subscriber"🔗 References
- https://plugins.trac.wordpress.org/changeset/2877726/unusedcss/trunk/includes/modules/unused-css/UnusedCSS_Admin.php?contextall=1&old=2847136&old_path=%2Funusedcss%2Ftrunk%2Fincludes%2Fmodules%2Funused-css%2FUnusedCSS_Admin.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b2296800-93d6-48fa-aa09-3d28fa6371d7
- https://plugins.trac.wordpress.org/changeset/2877726/unusedcss/trunk/includes/modules/unused-css/UnusedCSS_Admin.php?contextall=1&old=2847136&old_path=%2Funusedcss%2Ftrunk%2Fincludes%2Fmodules%2Funused-css%2FUnusedCSS_Admin.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b2296800-93d6-48fa-aa09-3d28fa6371d7
