Core Web Vitals & PageSpeed Booster <= 1.0.27 - Missing Authorization
Description
The Core Web Vitals & PageSpeed Booster plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.27. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.0.27This research plan outlines the steps to investigate and exploit **CVE-2025-62144**, a missing authorization vulnerability in the **Core Web Vitals & PageSpeed Booster** plugin (<= 1.0.27). ### 1. Vulnerability Summary The vulnerability exists because certain AJAX handlers in the plugin are registe…
Show full research plan
This research plan outlines the steps to investigate and exploit CVE-2025-62144, a missing authorization vulnerability in the Core Web Vitals & PageSpeed Booster plugin (<= 1.0.27).
1. Vulnerability Summary
The vulnerability exists because certain AJAX handlers in the plugin are registered using the wp_ajax_ hook (which allows any authenticated user to trigger them) but fail to implement a current_user_can() check to verify that the user has administrative privileges. This allows a user with Subscriber level access to perform administrative actions, such as modifying plugin settings or clearing optimization caches.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Method: POST
- Authenticated Access: Subscriber or higher.
- Vulnerable Action (Inferred): Likely
pbooster_save_settingsorcwpb_update_settings. - Impact: Modification of plugin configurations, potentially leading to the injection of malicious scripts (if settings include custom JS/CSS fields) or disruption of site performance.
3. Code Flow (Inferred Trace)
- Registration: The plugin registers an AJAX action:
add_action( 'wp_ajax_pbooster_save_settings', 'pbooster_save_settings_callback' ); - Trigger: An authenticated user (Subscriber) sends a POST request to
admin-ajax.phpwithaction=pbooster_save_settings. - Missing Check: The callback function
pbooster_save_settings_callbacklikely performs a nonce check (check_ajax_refererorwp_verify_nonce) but omits a capability check likeif ( ! current_user_can( 'manage_options' ) ) wp_die();. - Execution: The function proceeds to update the plugin options in the database using
update_option().
4. Nonce Acquisition Strategy
The plugin likely localizes a nonce for its admin interface. Since the vulnerability requires "authenticated" access, the nonce is likely available in the WordPress admin dashboard for any logged-in user.
- Locate Nonce Details:
- Search the codebase for
wp_create_nonceto find the action string. - Search for
wp_localize_scriptto find the JavaScript object name. - Initial Guess: Action string:
pbooster_nonceorpbooster_settings_nonce. JS Variable:pbooster_admin_obj.
- Search the codebase for
- Creation of Access Point:
Subscribers can accesswp-admin/profile.php. However, if the nonce is only loaded on the plugin's settings page (which a subscriber cannot access), we must check if the script is enqueued globally in the admin or if there is a shortcode. - Extraction:
- Log in as a Subscriber.
- Navigate to
/wp-admin/index.php. - Use
browser_evalto search for the nonce in the global window object. - Command:
browser_eval("window.pbooster_admin_obj?.nonce || window.pbooster_vars?.nonce")
5. Exploitation Strategy
Step 1: Discovery
Run the following to identify the exact vulnerable function and action:
grep -rn "wp_ajax_" . --include="*.php"
Once the action is identified (e.g., pbooster_save_settings), check the callback:
grep -rn "function pbooster_save_settings" . --include="*.php" -A 15
Confirm the absence of current_user_can('manage_options').
Step 2: Nonce Extraction
- Identify the JS variable name:
grep -rn "wp_localize_script" . - Log in as a Subscriber.
- Navigate to
/wp-admin/index.php(or a page where the script is enqueued). - Extract the nonce via
browser_eval.
Step 3: Payload Delivery
Send a request to modify a plugin setting. We will target a setting that has a visible effect, such as a "Custom CSS" or "Lazy Load" toggle.
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=pbooster_save_settings&nonce=[EXTRACTED_NONCE]&settings[lazy_load]=0&settings[some_text_field]=EXPLOITED
6. Test Data Setup
- Plugin Installation: Install and activate
core-web-vitals-pagespeed-boosterversion 1.0.27. - User Creation:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password123 - Identify Target Option: Check the current value of the plugin settings:
wp option get pbooster_settings
7. Expected Results
- The
admin-ajax.phprequest should return a successful status (e.g.,{"success":true}or1). - The WordPress database should reflect the changes made by the Subscriber user.
8. Verification Steps
- Check Option Value:
wp option get pbooster_settings - Compare: Verify that the value in
pbooster_settingsmatches the payload sent by the Subscriber. - Verify Unauthorized Access: Confirm that the user
attackerstill has thesubscriberrole and should not normally be able to update these options.
9. Alternative Approaches
If pbooster_save_settings is not the vulnerable action, search for:
pbooster_clear_cachecwpb_reset_settings- Any action associated with
wp_ajax_in theadmin/directory of the plugin.
If the nonce is strictly tied to an admin-only page, check if the plugin verifies the nonce at all, or if it uses a generic nonce like wp_rest or a nonce with the action -1, which can be easily obtained.
Summary
The Core Web Vitals & PageSpeed Booster plugin for WordPress (<= 1.0.27) contains a missing authorization vulnerability in its AJAX settings handling. This flaw allows authenticated attackers with subscriber-level permissions or higher to modify plugin settings by invoking administrative actions that lack server-side capability checks.
Exploit Outline
To exploit this vulnerability, an attacker first obtains subscriber-level authentication. The attacker then retrieves a valid nonce for the plugin's administrative actions, which is typically localized in JavaScript variables within the WordPress admin dashboard. Using this nonce, the attacker sends a POST request to the '/wp-admin/admin-ajax.php' endpoint with the 'action' parameter set to a vulnerable handler (such as 'pbooster_save_settings') and additional parameters containing modified plugin configuration values. Because the server-side callback function fails to verify user permissions using 'current_user_can()', the plugin processes the request and updates the site's database options as requested.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.