CVE-2025-62144

Core Web Vitals & PageSpeed Booster <= 1.0.27 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Core Web Vitals & PageSpeed Booster plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.27. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.27
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Research Plan
Unverified

This research plan outlines the steps to investigate and exploit **CVE-2025-62144**, a missing authorization vulnerability in the **Core Web Vitals & PageSpeed Booster** plugin (<= 1.0.27). ### 1. Vulnerability Summary The vulnerability exists because certain AJAX handlers in the plugin are registe…

Show full research plan

This research plan outlines the steps to investigate and exploit CVE-2025-62144, a missing authorization vulnerability in the Core Web Vitals & PageSpeed Booster plugin (<= 1.0.27).

1. Vulnerability Summary

The vulnerability exists because certain AJAX handlers in the plugin are registered using the wp_ajax_ hook (which allows any authenticated user to trigger them) but fail to implement a current_user_can() check to verify that the user has administrative privileges. This allows a user with Subscriber level access to perform administrative actions, such as modifying plugin settings or clearing optimization caches.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Method: POST
  • Authenticated Access: Subscriber or higher.
  • Vulnerable Action (Inferred): Likely pbooster_save_settings or cwpb_update_settings.
  • Impact: Modification of plugin configurations, potentially leading to the injection of malicious scripts (if settings include custom JS/CSS fields) or disruption of site performance.

3. Code Flow (Inferred Trace)

  1. Registration: The plugin registers an AJAX action:
    add_action( 'wp_ajax_pbooster_save_settings', 'pbooster_save_settings_callback' );
  2. Trigger: An authenticated user (Subscriber) sends a POST request to admin-ajax.php with action=pbooster_save_settings.
  3. Missing Check: The callback function pbooster_save_settings_callback likely performs a nonce check (check_ajax_referer or wp_verify_nonce) but omits a capability check like if ( ! current_user_can( 'manage_options' ) ) wp_die();.
  4. Execution: The function proceeds to update the plugin options in the database using update_option().

4. Nonce Acquisition Strategy

The plugin likely localizes a nonce for its admin interface. Since the vulnerability requires "authenticated" access, the nonce is likely available in the WordPress admin dashboard for any logged-in user.

  1. Locate Nonce Details:
    • Search the codebase for wp_create_nonce to find the action string.
    • Search for wp_localize_script to find the JavaScript object name.
    • Initial Guess: Action string: pbooster_nonce or pbooster_settings_nonce. JS Variable: pbooster_admin_obj.
  2. Creation of Access Point:
    Subscribers can access wp-admin/profile.php. However, if the nonce is only loaded on the plugin's settings page (which a subscriber cannot access), we must check if the script is enqueued globally in the admin or if there is a shortcode.
  3. Extraction:
    • Log in as a Subscriber.
    • Navigate to /wp-admin/index.php.
    • Use browser_eval to search for the nonce in the global window object.
    • Command: browser_eval("window.pbooster_admin_obj?.nonce || window.pbooster_vars?.nonce")

5. Exploitation Strategy

Step 1: Discovery

Run the following to identify the exact vulnerable function and action:

grep -rn "wp_ajax_" . --include="*.php"

Once the action is identified (e.g., pbooster_save_settings), check the callback:

grep -rn "function pbooster_save_settings" . --include="*.php" -A 15

Confirm the absence of current_user_can('manage_options').

Step 2: Nonce Extraction

  1. Identify the JS variable name: grep -rn "wp_localize_script" .
  2. Log in as a Subscriber.
  3. Navigate to /wp-admin/index.php (or a page where the script is enqueued).
  4. Extract the nonce via browser_eval.

Step 3: Payload Delivery

Send a request to modify a plugin setting. We will target a setting that has a visible effect, such as a "Custom CSS" or "Lazy Load" toggle.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=pbooster_save_settings&nonce=[EXTRACTED_NONCE]&settings[lazy_load]=0&settings[some_text_field]=EXPLOITED
    

6. Test Data Setup

  1. Plugin Installation: Install and activate core-web-vitals-pagespeed-booster version 1.0.27.
  2. User Creation:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
    
  3. Identify Target Option: Check the current value of the plugin settings:
    wp option get pbooster_settings
    

7. Expected Results

  • The admin-ajax.php request should return a successful status (e.g., {"success":true} or 1).
  • The WordPress database should reflect the changes made by the Subscriber user.

8. Verification Steps

  1. Check Option Value:
    wp option get pbooster_settings
    
  2. Compare: Verify that the value in pbooster_settings matches the payload sent by the Subscriber.
  3. Verify Unauthorized Access: Confirm that the user attacker still has the subscriber role and should not normally be able to update these options.

9. Alternative Approaches

If pbooster_save_settings is not the vulnerable action, search for:

  • pbooster_clear_cache
  • cwpb_reset_settings
  • Any action associated with wp_ajax_ in the admin/ directory of the plugin.

If the nonce is strictly tied to an admin-only page, check if the plugin verifies the nonce at all, or if it uses a generic nonce like wp_rest or a nonce with the action -1, which can be easily obtained.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Core Web Vitals & PageSpeed Booster plugin for WordPress (<= 1.0.27) contains a missing authorization vulnerability in its AJAX settings handling. This flaw allows authenticated attackers with subscriber-level permissions or higher to modify plugin settings by invoking administrative actions that lack server-side capability checks.

Exploit Outline

To exploit this vulnerability, an attacker first obtains subscriber-level authentication. The attacker then retrieves a valid nonce for the plugin's administrative actions, which is typically localized in JavaScript variables within the WordPress admin dashboard. Using this nonce, the attacker sends a POST request to the '/wp-admin/admin-ajax.php' endpoint with the 'action' parameter set to a vulnerable handler (such as 'pbooster_save_settings') and additional parameters containing modified plugin configuration values. Because the server-side callback function fails to verify user permissions using 'current_user_can()', the plugin processes the request and updates the site's database options as requested.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.