Login Sign Up

CVE-2024-43314

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass authorization controls in the Asset CleanUp: Page Speed Booster WordPress plugin, potentially accessing functionality intended only for authenticated users. It affects all WordPress sites running the plugin from any version up to 1.3.9.3.

💻 Affected Systems

Products:
  • Asset CleanUp: Page Speed Booster WordPress Plugin
Versions: n/a through 1.3.9.3
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

Asset Cleanup by Gabelivan

View all CVEs affecting Asset Cleanup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users could modify plugin settings, disable critical functionality, or potentially escalate privileges to gain administrative access to the WordPress site.

🟠

Likely Case

Attackers could modify asset optimization settings, potentially breaking site functionality or performance optimizations without proper authorization.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to the WordPress application layer only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Missing authorization vulnerabilities typically require minimal technical skill to exploit once the attack vector is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.9.4 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/wp-asset-clean-up/wordpress-asset-cleanup-page-speed-booster-plugin-1-3-9-3-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Asset CleanUp: Page Speed Booster. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.3.9.4+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate wp-asset-clean-up

Restrict Access

all

Use web application firewall rules to block access to plugin admin endpoints

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can reach the WordPress admin interface
  • Enable WordPress security plugins that monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Asset CleanUp: Page Speed Booster version number

Check Version:

wp plugin get wp-asset-clean-up --field=version

Verify Fix Applied:

Verify plugin version is 1.3.9.4 or higher after update

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to /wp-admin/admin-ajax.php with plugin-specific actions
  • Unexpected modifications to plugin settings by non-admin users

Network Indicators:

  • HTTP requests to plugin admin endpoints from unauthorized IP addresses

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php") AND (action="wpacu_" OR user_role!="administrator")

📊 Metadata

CVE ID: CVE-2024-43314
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-862
Published: November 1, 2024
Last Updated: November 13, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43314, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)