CVE-2023-1340
📋 TL;DR
This CSRF vulnerability in the RapidLoad Power-Up for Autoptimize WordPress plugin allows unauthenticated attackers to trick administrators into clearing plugin logs via malicious links. It affects WordPress sites using vulnerable plugin versions up to 1.7.1. The attack requires social engineering to convince an admin to click a crafted link.
💻 Affected Systems
- RapidLoad Power-Up for Autoptimize WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could clear forensic evidence of other attacks, enabling cover-up of more serious compromises and hindering incident investigation.
Likely Case
Malicious actors clear plugin logs to hide traces of other attacks or disrupt debugging efforts, potentially enabling persistence.
If Mitigated
With proper CSRF protections, the attack fails, leaving logs intact for security monitoring and incident response.
🎯 Exploit Status
Exploitation requires social engineering to trick administrators; technical complexity is minimal once malicious link is crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.7.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2877726/unusedcss/trunk/includes/modules/unused-css/UnusedCSS_Admin.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'RapidLoad Power-Up for Autoptimize'. 4. Click 'Update Now' if available, or manually update to version 1.7.2+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched to prevent exploitation.
wp plugin deactivate rapidload-power-up-for-autoptimize
CSRF Protection via .htaccess
linuxAdd basic CSRF protections at web server level (limited effectiveness for this specific vulnerability).
# Add to .htaccess:
Header set X-Frame-Options "DENY"
Header set Content-Security-Policy "frame-ancestors 'none'"
# Add to .htaccess:
Header set X-Frame-Options "DENY"
Header set Content-Security-Policy "frame-ancestors 'none'"
🧯 If You Can't Patch
- Implement strict admin access controls and educate administrators about phishing risks.
- Monitor and alert on unexpected log clearing activities within the plugin.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → RapidLoad Power-Up for Autoptimize → Version. If version ≤1.7.1, vulnerable.Check Version:
wp plugin get rapidload-power-up-for-autoptimize --field=versionVerify Fix Applied:
Confirm plugin version is 1.7.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unexpected clearing of RapidLoad/Autoptimize plugin logs without admin intent
- HTTP requests to admin-ajax.php or similar endpoints with clear_uucss_logs action
Network Indicators:
- Unusual outbound connections from admin sessions following link clicks
SIEM Query:
source="wordpress" AND action="clear_uucss_logs" AND user_role="administrator"🔗 References
- https://plugins.trac.wordpress.org/changeset/2877726/unusedcss/trunk/includes/modules/unused-css/UnusedCSS_Admin.php?contextall=1&old=2847136&old_path=%2Funusedcss%2Ftrunk%2Fincludes%2Fmodules%2Funused-css%2FUnusedCSS_Admin.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/488e26e2-d4d7-4036-a672-53c2d4c9d39b
- https://plugins.trac.wordpress.org/changeset/2877726/unusedcss/trunk/includes/modules/unused-css/UnusedCSS_Admin.php?contextall=1&old=2847136&old_path=%2Funusedcss%2Ftrunk%2Fincludes%2Fmodules%2Funused-css%2FUnusedCSS_Admin.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/488e26e2-d4d7-4036-a672-53c2d4c9d39b
