[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fF25h3ocIwx04BO15s4Q1QTy06S1x-OrsZquO-ppelHg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4127","speedup-optimization-missing-authorization-to-authenticated-subscriber-plugin-settings-update-via-speedup01enabled-ajax-","Speedup Optimization \u003C= 1.5.9 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update via 'speedup01_enabled' AJAX Action","The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The `speedup01_ajax_enabled()` function, which handles the `wp_ajax_speedup01_enabled` AJAX action, does not perform any capability check via `current_user_can()` and also lacks nonce verification. This is in contrast to other AJAX handlers in the same plugin (e.g., `speedup01_ajax_install_iox` and `speedup01_ajax_delete_cache_file`) which properly check for `install_plugins` and `manage_options` capabilities respectively. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable the site's optimization module by sending a POST request to admin-ajax.","speedup-optimization",null,"\u003C=1.5.9","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-20 15:08:25","2026-03-27 11:14:54",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3f37c650-af0d-4474-9c1b-7f8d361b4d81?source=api-prod",[],"researched",false,3,"This research plan outlines the steps for investigating and exploiting CVE-2026-4127, a missing authorization vulnerability in the **Speedup Optimization** plugin (up to version 1.5.9).\n\n## 1. Vulnerability Summary\nThe Speedup Optimization plugin implements an AJAX handler `speedup01_ajax_enabled()` for the action `wp_ajax_speedup01_enabled`. This function is intended to allow administrators to enable or disable the plugin's optimization functionality. However, it fails to implement any capability checks (such as `current_user_can('manage_options')`) or nonce verification (`check_ajax_referer`). Consequently, any authenticated user, including those with Subscriber-level privileges, can modify the plugin's status.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Action**: `speedup01_enabled`\n- **Payload Parameters**: \n    - `action`: `speedup01_enabled`\n    - `enabled`: (inferred) Likely a boolean or integer (`0` or `1`) representing the desired state of the optimization module.\n- **Authentication**: Required (Subscriber level or higher).\n- **Preconditions**: The plugin must be active.\n\n## 3. Code Flow\nThe vulnerability is triggered through the standard WordPress AJAX flow:\n1. **Entry Point**: A `POST` request is sent to `admin-ajax.php` with `action=speedup01_enabled`.\n2. **Hook Registration**: The plugin registers the action (likely in the main plugin file or an admin-specific include):\n   ```php\n   add_action( 'wp_ajax_speedup01_enabled', 'speedup01_ajax_enabled' );\n   ```\n3. **Handler Execution**: WordPress calls `speedup01_ajax_enabled()`.\n4. **Vulnerable Sink**: Inside `speedup01_ajax_enabled()`, the code likely retrieves a value from `$_POST` and updates a WordPress option without checking if the user is an administrator.\n   ```php\n   function speedup01_ajax_enabled() {\n       \u002F\u002F MISSING: current_user_can('manage_options')\n       \u002F\u002F MISSING: check_ajax_referer(...)\n       $status = sanitize_text_field($_POST['enabled']); \u002F\u002F (inferred)\n       update_option('speedup01_enabled', $status); \u002F\u002F (inferred option name)\n       wp_die();\n   }\n   ```\n\n## 4. Nonce Acquisition Strategy\nThe vulnerability description explicitly states that the function **lacks nonce verification**. Therefore, no nonce is required to exploit this endpoint. \n\nIf the agent discovers during exploration that a nonce is actually present but the capability check is still missing, it should:\n1. Create a post containing any plugin-related shortcodes found via `grep -r \"add_shortcode\"`.\n2. Navigate to that page using `browser_navigate`.\n3. Extract nonces from the global window object (e.g., `window.speedup_data?.nonce`) using `browser_eval`.\n\n## 5. Exploitation Strategy\nThe goal is to toggle the site's optimization status as a Subscriber user.\n\n### Step 1: Discover the Payload Format\nThe agent should first inspect the plugin code to confirm the parameter name and option name.\n- Command: `grep -rn \"function speedup01_ajax_enabled\" .`\n- Command: `grep -rn \"speedup01_enabled\" .`\n\n### Step 2: Perform the Exploit\nOnce the parameter name is confirmed (assuming `enabled` for this plan), use `http_request` as a Subscriber.\n\n**Request Details**:\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**: \n    - `Content-Type: application\u002Fx-www-form-urlencoded`\n    - `Cookie`: [Subscriber Session Cookies]\n- **Body**: `action=speedup01_enabled&enabled=0` (to disable) or `action=speedup01_enabled&enabled=1` (to enable).\n\n## 6. Test Data Setup\n1. **Plugin Installation**: Ensure Speedup Optimization \u003C= 1.5.9 is installed and activated.\n2. **User Creation**: Create a Subscriber user:\n   ```bash\n   wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n   ```\n3. **Initial State Check**: Record the current value of the optimization setting:\n   ```bash\n   wp option get speedup01_enabled\n   ```\n\n## 7. Expected Results\n- The AJAX request should return a `200 OK` status (or a `wp_die` response, often `0` or `1`).\n- The internal WordPress option responsible for the optimization module's state should change to the value provided in the exploit request.\n\n## 8. Verification Steps\n1. **Database Check**: After sending the `POST` request, verify the option value via WP-CLI:\n   ```bash\n   wp option get speedup01_enabled\n   ```\n2. **Repeatability**: Change the value back and forth (e.g., from `1` to `0` then back to `1`) to confirm full control over the setting.\n\n## 9. Alternative Approaches\nIf the parameter name is not `enabled`, look for alternative common patterns in the `speedup01_ajax_enabled` function:\n- `status`\n- `value`\n- `active`\n- `speedup01_enabled_status`\n\nIf the option name is not `speedup01_enabled`, search for `update_option` calls within the handler to identify the correct target:\n- Command: `grep -A 10 \"function speedup01_ajax_enabled\" path\u002Fto\u002Ffile.php`","The Speedup Optimization plugin for WordPress fails to implement capability checks or nonce verification in its 'speedup01_enabled' AJAX handler. This allows authenticated users with Subscriber-level privileges or higher to enable or disable the site's optimization settings, potentially disrupting site performance or modifying plugin behavior.","\u002F* In the plugin's main file or admin handler *\u002F\nadd_action( 'wp_ajax_speedup01_enabled', 'speedup01_ajax_enabled' );\n\nfunction speedup01_ajax_enabled() {\n    \u002F\u002F Missing capability check (e.g., current_user_can('manage_options'))\n    \u002F\u002F Missing nonce verification (e.g., check_ajax_referer('nonce_name'))\n    $enabled = sanitize_text_field($_POST['enabled']);\n    update_option('speedup01_enabled', $enabled);\n    wp_die();\n}","--- a\u002Fspeedup-optimization.php\n+++ b\u002Fspeedup-optimization.php\n@@ -1,5 +1,9 @@\n function speedup01_ajax_enabled() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( -1 );\n+    }\n+    check_ajax_referer( 'speedup01_nonce', 'security' );\n+\n     $enabled = sanitize_text_field($_POST['enabled']);\n     update_option('speedup01_enabled', $enabled);\n     wp_die();","To exploit this vulnerability, an authenticated attacker with at least Subscriber-level access sends a POST request to the WordPress AJAX endpoint. The request must include the 'action' parameter set to 'speedup01_enabled' and a 'enabled' parameter set to the desired state (e.g., '0' to disable or '1' to enable). Because the plugin does not verify user permissions or nonces for this specific action, the request will successfully update the 'speedup01_enabled' option in the database, affecting the plugin's operational state across the site.","gemini-3-flash-preview","2026-04-18 01:05:13","2026-04-18 01:05:31",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fspeedup-optimization\u002Ftags"]