Description
The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The `speedup01_ajax_enabled()` function, which handles the `wp_ajax_speedup01_enabled` AJAX action, does not perform any capability check via `current_user_can()` and also lacks nonce verification. This is in contrast to other AJAX handlers in the same plugin (e.g., `speedup01_ajax_install_iox` and `speedup01_ajax_delete_cache_file`) which properly check for `install_plugins` and `manage_options` capabilities respectively. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable the site's optimization module by sending a POST request to admin-ajax.
Published: 2026-03-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized plugin configuration changes
Action: Apply patch
AI Analysis

Impact

The Speedup Optimization plugin for WordPress allows any authenticated user with at least Subscriber level access to toggle the optimization engine on or off through an AJAX endpoint that performs no capability checks or nonce verification. The flaw arises in the speedup01_ajax_enabled() handler, which omits any call to current_user_can() and does not validate a security nonce. Because the endpoint accepts a POST request to admin-ajax.php with action speedup01_enabled, any logged‑in user can enable or disable the plugin’s optimization module. This results in unauthorized configuration modification that could affect site performance or functionality, but does not provide direct code execution or data exfiltration. The underlying weakness is a missing authorization check (CWE‑862).

Affected Systems

WordPress sites that have the Speedup Optimization plugin installed, version 1.5.9 or earlier. The vulnerability affects all instances where the plugin is active, regardless of the overall WordPress version. Users with any authenticated role from Subscriber upwards can trigger the defect via the exposed AJAX action.

Risk and Exploitability

The CVSS score of 4.3 indicates medium severity, while the EPSS score of less than 1% shows low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The exploit path is simple: a legitimate user simply sends a crafted POST request to admin-ajax.php specifying action=speedup01_enabled. No additional privileges or system compromise are required beyond basic authentication, making the vulnerability easily exploitable for those with access to a site account.

Generated by OpenCVE AI on April 8, 2026 at 18:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Speedup Optimization plugin to any version newer than 1.5.9.
  • If an update is not immediately available, consider removing or disabling the plugin until a patch is released.
  • Avoid granting common roles such as Subscriber or Contributor the ability to hit the admin-ajax endpoint until the plug‑in is fixed.
  • Check that future AJAX handlers include proper capability checks and nonce validation to prevent similar gaps.

Generated by OpenCVE AI on April 8, 2026 at 18:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Title Speedup Optimization <= 1.5.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via 'speedup01_enabled' AJAX Action Speedup Optimization <= 1.5.9 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update via 'speedup01_enabled' AJAX Action
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Charlycharm
Charlycharm speedup Optimization
Wordpress
Wordpress wordpress
Vendors & Products Charlycharm
Charlycharm speedup Optimization
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The `speedup01_ajax_enabled()` function, which handles the `wp_ajax_speedup01_enabled` AJAX action, does not perform any capability check via `current_user_can()` and also lacks nonce verification. This is in contrast to other AJAX handlers in the same plugin (e.g., `speedup01_ajax_install_iox` and `speedup01_ajax_delete_cache_file`) which properly check for `install_plugins` and `manage_options` capabilities respectively. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable the site's optimization module by sending a POST request to admin-ajax.
Title Speedup Optimization <= 1.5.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via 'speedup01_enabled' AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Charlycharm Speedup Optimization
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:09.149Z

Reserved: 2026-03-13T14:10:09.369Z

Link: CVE-2026-4127

cve-icon Vulnrichment

Updated: 2026-03-23T15:17:57.852Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T04:17:41.393

Modified: 2026-04-08T18:26:07.170

Link: CVE-2026-4127

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:23Z

Weaknesses