CVE-2023-1342
📋 TL;DR
This CSRF vulnerability in the RapidLoad Power-Up for Autoptimize WordPress plugin allows attackers to change the site's license key without authentication by tricking an administrator into clicking a malicious link. It affects WordPress sites using the plugin version 1.7.1 or earlier. The attack requires social engineering but no authentication.
💻 Affected Systems
- RapidLoad Power-Up for Autoptimize WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could disrupt plugin functionality by linking to an invalid license, potentially causing service degradation or forcing administrators to purchase new licenses.
Likely Case
Attackers change the license key to one they control, potentially gaining access to premium features or disrupting the plugin's CSS optimization functionality.
If Mitigated
With proper CSRF protections, no impact as requests would be rejected without valid nonces.
🎯 Exploit Status
Exploitation requires tricking an administrator into clicking a malicious link while authenticated to WordPress admin panel.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.7.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2877726/unusedcss/trunk/includes/modules/unused-css/UnusedCSS_Admin.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'RapidLoad Power-Up for Autoptimize'. 4. Click 'Update Now' if available, or download version 1.7.2+ from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Add CSRF protection manually
allAdd nonce verification to the ucss_connect function in the plugin code
Edit includes/modules/unused-css/UnusedCSS_Admin.php and add wp_verify_nonce() check before processing ucss_connect requests
Disable plugin temporarily
linuxDeactivate the plugin until patched
wp plugin deactivate rapidload-power-up-for-autoptimize
🧯 If You Can't Patch
- Implement web application firewall rules to block unauthorized license change requests
- Educate administrators about phishing risks and require multi-person approval for license changes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → RapidLoad Power-Up for Autoptimize → Version. If version is 1.7.1 or lower, you are vulnerable.Check Version:
wp plugin get rapidload-power-up-for-autoptimize --field=versionVerify Fix Applied:
After updating, verify version is 1.7.2 or higher in WordPress plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=ucss_connect
- License key changes without corresponding administrator activity
Network Indicators:
- CSRF payloads in HTTP referer headers
- Unexpected license API calls
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters.action="ucss_connect")🔗 References
- https://plugins.trac.wordpress.org/changeset/2877726/unusedcss/trunk/includes/modules/unused-css/UnusedCSS_Admin.php?contextall=1&old=2847136&old_path=%2Funusedcss%2Ftrunk%2Fincludes%2Fmodules%2Funused-css%2FUnusedCSS_Admin.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7c66894a-8d0f-4946-ae4d-bffd35f3ffb7
- https://plugins.trac.wordpress.org/changeset/2877726/unusedcss/trunk/includes/modules/unused-css/UnusedCSS_Admin.php?contextall=1&old=2847136&old_path=%2Funusedcss%2Ftrunk%2Fincludes%2Fmodules%2Funused-css%2FUnusedCSS_Admin.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7c66894a-8d0f-4946-ae4d-bffd35f3ffb7
