WP-Safety
CVE-2026-4127

Speedup Optimization <= 1.5.9 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update via 'speedup01_enabled' AJAX Action

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The `speedup01_ajax_enabled()` function, which handles the `wp_ajax_speedup01_enabled` AJAX action, does not perform any capability check via `current_user_can()` and also lacks nonce verification. This is in contrast to other AJAX handlers in the same plugin (e.g., `speedup01_ajax_install_iox` and `speedup01_ajax_delete_cache_file`) which properly check for `install_plugins` and `manage_options` capabilities respectively. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable the site's optimization module by sending a POST request to admin-ajax.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.5.9
PublishedMarch 20, 2026
Last updatedMarch 27, 2026
Affected pluginspeedup-optimization
Research Plan
Unverified

This research plan outlines the steps for investigating and exploiting CVE-2026-4127, a missing authorization vulnerability in the **Speedup Optimization** plugin (up to version 1.5.9). ## 1. Vulnerability Summary The Speedup Optimization plugin implements an AJAX handler `speedup01_ajax_enabled()`…

Show full research plan

This research plan outlines the steps for investigating and exploiting CVE-2026-4127, a missing authorization vulnerability in the Speedup Optimization plugin (up to version 1.5.9).

1. Vulnerability Summary

The Speedup Optimization plugin implements an AJAX handler speedup01_ajax_enabled() for the action wp_ajax_speedup01_enabled. This function is intended to allow administrators to enable or disable the plugin's optimization functionality. However, it fails to implement any capability checks (such as current_user_can('manage_options')) or nonce verification (check_ajax_referer). Consequently, any authenticated user, including those with Subscriber-level privileges, can modify the plugin's status.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Method: POST
  • Action: speedup01_enabled
  • Payload Parameters:
    • action: speedup01_enabled
    • enabled: (inferred) Likely a boolean or integer (0 or 1) representing the desired state of the optimization module.
  • Authentication: Required (Subscriber level or higher).
  • Preconditions: The plugin must be active.

3. Code Flow

The vulnerability is triggered through the standard WordPress AJAX flow:

  1. Entry Point: A POST request is sent to admin-ajax.php with action=speedup01_enabled.
  2. Hook Registration: The plugin registers the action (likely in the main plugin file or an admin-specific include):
    add_action( 'wp_ajax_speedup01_enabled', 'speedup01_ajax_enabled' );
  3. Handler Execution: WordPress calls speedup01_ajax_enabled().
  4. Vulnerable Sink: Inside speedup01_ajax_enabled(), the code likely retrieves a value from $_POST and updates a WordPress option without checking if the user is an administrator.
    function speedup01_ajax_enabled() {
    // MISSING: current_user_can('manage_options')
    // MISSING: check_ajax_referer(...)
    $status = sanitize_text_field($_POST['enabled']); // (inferred)
    update_option('speedup01_enabled', $status); // (inferred option name)
    wp_die();
}

4. Nonce Acquisition Strategy

The vulnerability description explicitly states that the function lacks nonce verification. Therefore, no nonce is required to exploit this endpoint.

If the agent discovers during exploration that a nonce is actually present but the capability check is still missing, it should:

  1. Create a post containing any plugin-related shortcodes found via grep -r "add_shortcode".
  2. Navigate to that page using browser_navigate.
  3. Extract nonces from the global window object (e.g., window.speedup_data?.nonce) using browser_eval.

5. Exploitation Strategy

The goal is to toggle the site's optimization status as a Subscriber user.

Step 1: Discover the Payload Format

The agent should first inspect the plugin code to confirm the parameter name and option name.

  • Command: grep -rn "function speedup01_ajax_enabled" .
  • Command: grep -rn "speedup01_enabled" .

Step 2: Perform the Exploit

Once the parameter name is confirmed (assuming enabled for this plan), use http_request as a Subscriber.

Request Details:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers:
    • Content-Type: application/x-www-form-urlencoded
    • Cookie: [Subscriber Session Cookies]
  • Body: action=speedup01_enabled&enabled=0 (to disable) or action=speedup01_enabled&enabled=1 (to enable).

6. Test Data Setup

  1. Plugin Installation: Ensure Speedup Optimization <= 1.5.9 is installed and activated.
  2. User Creation: Create a Subscriber user:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  3. Initial State Check: Record the current value of the optimization setting:
    wp option get speedup01_enabled

7. Expected Results

  • The AJAX request should return a 200 OK status (or a wp_die response, often 0 or 1).
  • The internal WordPress option responsible for the optimization module's state should change to the value provided in the exploit request.

8. Verification Steps

  1. Database Check: After sending the POST request, verify the option value via WP-CLI:
    wp option get speedup01_enabled
  2. Repeatability: Change the value back and forth (e.g., from 1 to 0 then back to 1) to confirm full control over the setting.

9. Alternative Approaches

If the parameter name is not enabled, look for alternative common patterns in the speedup01_ajax_enabled function:

  • status
  • value
  • active
  • speedup01_enabled_status

If the option name is not speedup01_enabled, search for update_option calls within the handler to identify the correct target:

  • Command: grep -A 10 "function speedup01_ajax_enabled" path/to/file.php
Research Findings
Static analysis — not yet PoC-verified

Summary

The Speedup Optimization plugin for WordPress fails to implement capability checks or nonce verification in its 'speedup01_enabled' AJAX handler. This allows authenticated users with Subscriber-level privileges or higher to enable or disable the site's optimization settings, potentially disrupting site performance or modifying plugin behavior.

Vulnerable Code

/* In the plugin's main file or admin handler */
add_action( 'wp_ajax_speedup01_enabled', 'speedup01_ajax_enabled' );

function speedup01_ajax_enabled() {
    // Missing capability check (e.g., current_user_can('manage_options'))
    // Missing nonce verification (e.g., check_ajax_referer('nonce_name'))
    $enabled = sanitize_text_field($_POST['enabled']);
    update_option('speedup01_enabled', $enabled);
    wp_die();
}

Security Fix

--- a/speedup-optimization.php
+++ b/speedup-optimization.php
@@ -1,5 +1,9 @@
 function speedup01_ajax_enabled() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( -1 );
+    }
+    check_ajax_referer( 'speedup01_nonce', 'security' );
+
     $enabled = sanitize_text_field($_POST['enabled']);
     update_option('speedup01_enabled', $enabled);
     wp_die();

Exploit Outline

To exploit this vulnerability, an authenticated attacker with at least Subscriber-level access sends a POST request to the WordPress AJAX endpoint. The request must include the 'action' parameter set to 'speedup01_enabled' and a 'enabled' parameter set to the desired state (e.g., '0' to disable or '1' to enable). Because the plugin does not verify user permissions or nonces for this specific action, the request will successfully update the 'speedup01_enabled' option in the database, affecting the plugin's operational state across the site.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/3f37c650-af0d-4474-9c1b-7f8d361b4d81?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database