{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4127", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-13T14:10:09.369Z", "datePublished": "2026-03-21T03:26:41.459Z", "dateUpdated": "2026-04-16T12:51:09.659Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:09.149Z"}, "affected": [{"vendor": "charlycharm", "product": "Speedup Optimization", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The `speedup01_ajax_enabled()` function, which handles the `wp_ajax_speedup01_enabled` AJAX action, does not perform any capability check via `current_user_can()` and also lacks nonce verification. This is in contrast to other AJAX handlers in the same plugin (e.g., `speedup01_ajax_install_iox` and `speedup01_ajax_delete_cache_file`) which properly check for `install_plugins` and `manage_options` capabilities respectively. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable the site's optimization module by sending a POST request to admin-ajax."}], "title": "Speedup Optimization <= 1.5.9 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update via 'speedup01_enabled' AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f37c650-af0d-4474-9c1b-7f8d361b4d81?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/speedup-optimization/trunk/speedup-optimization.php#L172"}, {"url": "https://plugins.trac.wordpress.org/browser/speedup-optimization/tags/1.5.9/speedup-optimization.php#L172"}, {"url": "https://plugins.trac.wordpress.org/browser/speedup-optimization/trunk/speedup-optimization.php#L178"}, {"url": "https://plugins.trac.wordpress.org/browser/speedup-optimization/tags/1.5.9/speedup-optimization.php#L178"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2026-03-20T15:08:25.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T12:51:03.357443Z", "id": "CVE-2026-4127", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:51:09.659Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4127", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T12:51:03.357443Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:17:57.852Z"}}], "cna": {"title": "Speedup Optimization <= 1.5.9 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update via 'speedup01_enabled' AJAX Action", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "charlycharm", "product": "Speedup Optimization", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.5.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:08:25.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f37c650-af0d-4474-9c1b-7f8d361b4d81?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/speedup-optimization/trunk/speedup-optimization.php#L172"}, {"url": "https://plugins.trac.wordpress.org/browser/speedup-optimization/tags/1.5.9/speedup-optimization.php#L172"}, {"url": "https://plugins.trac.wordpress.org/browser/speedup-optimization/trunk/speedup-optimization.php#L178"}, {"url": "https://plugins.trac.wordpress.org/browser/speedup-optimization/tags/1.5.9/speedup-optimization.php#L178"}], "descriptions": [{"lang": "en", "value": "The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The `speedup01_ajax_enabled()` function, which handles the `wp_ajax_speedup01_enabled` AJAX action, does not perform any capability check via `current_user_can()` and also lacks nonce verification. This is in contrast to other AJAX handlers in the same plugin (e.g., `speedup01_ajax_install_iox` and `speedup01_ajax_delete_cache_file`) which properly check for `install_plugins` and `manage_options` capabilities respectively. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable the site's optimization module by sending a POST request to admin-ajax."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:09.149Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4127", "state": "PUBLISHED", "dateUpdated": "2026-04-16T12:51:09.659Z", "dateReserved": "2026-03-13T14:10:09.369Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:41.459Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The `speedup01_ajax_enabled()` function, which handles the `wp_ajax_speedup01_enabled` AJAX action, does not perform any capability check via `current_user_can()` and also lacks nonce verification. This is in contrast to other AJAX handlers in the same plugin (e.g., `speedup01_ajax_install_iox` and `speedup01_ajax_delete_cache_file`) which properly check for `install_plugins` and `manage_options` capabilities respectively. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable the site's optimization module by sending a POST request to admin-ajax."}, {"lang": "es", "value": "El plugin Speedup Optimization para WordPress es vulnerable a la falta de autorizaci\u00f3n en todas las versiones hasta la 1.5.9 inclusive. La funci\u00f3n speedup01_ajax_enabled(), que maneja la acci\u00f3n AJAX wp_ajax_speedup01_enabled, no realiza ninguna comprobaci\u00f3n de capacidad a trav\u00e9s de current_user_can() y tambi\u00e9n carece de verificaci\u00f3n de nonce. Esto contrasta con otros manejadores AJAX en el mismo plugin (por ejemplo, speedup01_ajax_install_iox y speedup01_ajax_delete_cache_file) que comprueban correctamente las capacidades install_plugins y manage_options respectivamente. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, habiliten o deshabiliten el m\u00f3dulo de optimizaci\u00f3n del sitio enviando una solicitud POST a admin-ajax."}], "id": "CVE-2026-4127", "lastModified": "2026-04-24T16:27:44.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-21T04:17:41.393", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/speedup-optimization/tags/1.5.9/speedup-optimization.php#L172"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/speedup-optimization/tags/1.5.9/speedup-optimization.php#L178"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/speedup-optimization/trunk/speedup-optimization.php#L172"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/speedup-optimization/trunk/speedup-optimization.php#L178"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f37c650-af0d-4474-9c1b-7f8d361b4d81?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Speedup Optimization", "source": "cna", "vendor": "charlycharm"}, "product": "speedup_optimization", "vendor": "charlycharm"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T18:56:03.602503+00:00", "value": {"mitigation_remediation": ["Upgrade the Speedup Optimization plugin to any version newer than 1.5.9.", "If an update is not immediately available, consider removing or disabling the plugin until a patch is released.", "Avoid granting common roles such as Subscriber or Contributor the ability to hit the admin-ajax endpoint until the plug\u2011in is fixed.", "Check that future AJAX handlers include proper capability checks and nonce validation to prevent similar gaps."], "summary": {"action": "Apply patch", "impact": "Unauthorized plugin configuration changes"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Speedup Optimization plugin installed, version 1.5.9 or earlier. The vulnerability affects all instances where the plugin is active, regardless of the overall WordPress version. Users with any authenticated role from Subscriber upwards can trigger the defect via the exposed AJAX action.", "description_and_impact": "The Speedup Optimization plugin for WordPress allows any authenticated user with at least Subscriber level access to toggle the optimization engine on or off through an AJAX endpoint that performs no capability checks or nonce verification. The flaw arises in the speedup01_ajax_enabled() handler, which omits any call to current_user_can() and does not validate a security nonce. Because the endpoint accepts a POST request to admin-ajax.php with action speedup01_enabled, any logged\u2011in user can enable or disable the plugin\u2019s optimization module. This results in unauthorized configuration modification that could affect site performance or functionality, but does not provide direct code execution or data exfiltration. The underlying weakness is a missing authorization check (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 4.3 indicates medium severity, while the EPSS score of less than 1% shows low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The exploit path is simple: a legitimate user simply sends a crafted POST request to admin-ajax.php specifying action=speedup01_enabled. No additional privileges or system compromise are required beyond basic authentication, making the vulnerability easily exploitable for those with access to a site account."}}}}, "created": "2026-03-23T09:50:48.607609+00:00", "updated": "2026-04-08T20:01:23.444127+00:00", "vendors": ["charlycharm", "charlycharm$PRODUCT$speedup_optimization", "wordpress", "wordpress$PRODUCT$wordpress"]}