Vulnerability Analysis: CVE-2026-24633

1. Vulnerability Summary

The AEH Speed Optimization plugin (versions <= 3.2.0) is vulnerable to Missing Authorization. The plugin registers an AJAX action purge_cache via both wp_ajax_purge_cache (authenticated) and wp_ajax_nopriv_purge_cache (unauthenticated). The handler function refresh_browser_cache lacks any capability checks (current_user_can) or nonce verification (check_ajax_referer / wp_verify_nonce).

This allows an unauthenticated attacker to trigger a modification of the site's .htaccess file and update the aeh_expires_headers_last_modified_time option in the WordPress database.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: purge_cache
• Method: POST or GET (WordPress AJAX handles both, though POST is standard)
• Authentication: None required (unauthenticated).
• Preconditions: The plugin must be active and the site must be running on a server that uses .htaccess (e.g., Apache or Litespeed) for the filesystem impact, though the database modification occurs regardless of the server type.

3. Code Flow

1. Entry Point: In main/class-aeh-main.php, the AEH_Main class constructor registers the vulnerable hooks:

   add_action('wp_ajax_purge_cache', array($this, 'refresh_browser_cache'));
   add_action('wp_ajax_nopriv_purge_cache', array($this, 'refresh_browser_cache'));
   

2. Vulnerable Handler: The refresh_browser_cache function is executed:

   public function refresh_browser_cache()
   {
       // Database Sink: Updates an option without authorization
       update_option('aeh_expires_headers_last_modified_time', date(DATE_RFC822));
       // Filesystem Sink: Triggers .htaccess rewrite
       $this->write_to_htaccess();
       wp_die();
   }
   

3. Sink - Filesystem: write_to_htaccess() calls delete_from_htaccess() and getrules(), then writes content to ABSPATH . '.htaccess'.
4. Sink - Database: update_option modifies the wp_options table.

4. Nonce Acquisition Strategy

No nonce is required. The refresh_browser_cache function does not contain any calls to check_ajax_referer or wp_verify_nonce. An attacker can send the request directly to admin-ajax.php.

5. Exploitation Strategy

The goal is to demonstrate that an unauthenticated user can force the plugin to update its configuration and modify the filesystem/database.

1. Step 1: Send an unauthenticated POST request to admin-ajax.php with the action parameter set to purge_cache.
2. Payload:
   • URL: http://<target>/wp-admin/admin-ajax.php
   • Method: POST
   • Headers: Content-Type: application/x-www-form-urlencoded
   • Body: action=purge_cache

6. Test Data Setup

1. Install and activate AEH Speed Optimization version 3.2.0.
2. Ensure .htaccess exists in the WordPress root and is writable by the web server (standard for this plugin's functionality).
3. No specific content or users are required as the vulnerability is unauthenticated.

7. Expected Results

• The server will respond with a status code 200 OK (standard for wp_die()).
• The database option aeh_expires_headers_last_modified_time will be updated to the current server time.
• The site's .htaccess file will be rewritten. If it didn't contain the plugin's rules before, it will now contain blocks starting with # BEGIN AEH: Speed Optimization Plugin.

8. Verification Steps

1. Check Database Update: Use WP-CLI to check the option value before and after the exploit:

   wp option get aeh_expires_headers_last_modified_time
   

   Verification: The value should match the timestamp of the exploit attempt.

2. Check Filesystem Update: Inspect the .htaccess file:

   grep "BEGIN AEH: Speed Optimization Plugin" .htaccess
   

   Verification: The presence of this string confirms the write_to_htaccess() logic was successfully triggered.

9. Alternative Approaches

If the nopriv AJAX action is restricted by another security plugin or firewall, the same function refresh_browser_cache is also triggered by the action hook refresh_cache:

add_action('refresh_cache', array($this, 'refresh_browser_cache'));

However, this is a server-side action hook and typically not directly reachable via HTTP unless another plugin or part of this plugin calls do_action('refresh_cache') based on user input. The AJAX endpoint remains the primary and most direct vector.

Another potential impact is "Missing Authorization" in hide_review_request, though that function does implement a nonce check (wp_verify_nonce($nonce, 'maybelater-nonce')), making it significantly harder to exploit unauthenticated unless a nonce leakage is found. The purge_cache action remains the definitive unauthenticated entry point.