CVE-2023-1344
📋 TL;DR
This CSRF vulnerability in the RapidLoad Power-Up for Autoptimize WordPress plugin allows unauthenticated attackers to modify the plugin's cache by tricking administrators into clicking malicious links. It affects WordPress sites using the plugin up to version 1.7.1. The vulnerability stems from missing nonce validation in the uucss_update_rule function.
💻 Affected Systems
- RapidLoad Power-Up for Autoptimize WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could poison the plugin's cache with malicious content, potentially leading to site defacement, credential theft via fake login forms, or distribution of malware to visitors.
Likely Case
Attackers modify cache rules to disrupt site functionality, inject ads, or redirect users to malicious sites, causing reputation damage and potential data loss.
If Mitigated
With proper CSRF protections and user awareness, successful exploitation requires social engineering and administrator interaction, reducing impact to minimal site disruption.
🎯 Exploit Status
Exploitation requires social engineering to trick administrators into clicking malicious links. No authentication needed for the CSRF attack itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2877726/unusedcss/trunk/includes/modules/unused-css/UnusedCSS_Admin.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'RapidLoad Power-Up for Autoptimize'. 4. Click 'Update Now' if available, or manually update to version 1.7.2+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate rapidload-power-up-for-autoptimize
Add CSRF Protection
allImplement custom nonce validation for the affected function
Add wp_verify_nonce() check before uucss_update_rule function execution
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block CSRF attempts targeting the vulnerable endpoint
- Educate administrators about phishing risks and implement strict click policies
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for RapidLoad Power-Up for Autoptimize version 1.7.1 or earlierCheck Version:
wp plugin get rapidload-power-up-for-autoptimize --field=versionVerify Fix Applied:
Verify plugin version is 1.7.2 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=uucss_update_rule
- Multiple failed nonce validation attempts in WordPress debug logs
Network Indicators:
- CSRF payloads in HTTP requests containing uucss_update_rule parameters
- Unusual traffic patterns to admin-ajax.php from unexpected sources
SIEM Query:
source="wordpress.log" AND "uucss_update_rule" AND NOT "nonce_verified"🔗 References
- https://plugins.trac.wordpress.org/changeset/2877726/unusedcss/trunk/includes/modules/unused-css/UnusedCSS_Admin.php?contextall=1&old=2847136&old_path=%2Funusedcss%2Ftrunk%2Fincludes%2Fmodules%2Funused-css%2FUnusedCSS_Admin.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/263153c9-61c5-4df4-803b-8d274e2a5e35
- https://plugins.trac.wordpress.org/changeset/2877726/unusedcss/trunk/includes/modules/unused-css/UnusedCSS_Admin.php?contextall=1&old=2847136&old_path=%2Funusedcss%2Ftrunk%2Fincludes%2Fmodules%2Funused-css%2FUnusedCSS_Admin.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/263153c9-61c5-4df4-803b-8d274e2a5e35
