Vulnerabilities ›

CVE-2026-4127

Medium

CWE-862 — Weakness Type

                    Published: Mar 21, 2026                      ·  Modified: Mar 23, 2026                      ·  Source: NVD                

CVSS v3

5.3

🔗 NVD Official

📄 Description (English)

The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The `speedup01_ajax_enabled()` function, which handles the `wp_ajax_speedup01_enabled` AJAX action, does not perform any capability check via `current_user_can()` and also lacks nonce verification. This is in contrast to other AJAX handlers in the same plugin (e.g., `speedup01_ajax_install_iox` and `speedup01_ajax_delete_cache_file`) which properly check for `install_plugins` and `manage_options` capabilities respectively. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable the site's optimization module by sending a POST request to admin-ajax.

🤖 AI Executive Summary

The Speedup Optimization WordPress plugin versions up to 1.5.9 lack authorization checks in the speedup01_ajax_enabled() AJAX function, allowing authenticated subscribers to enable or disable site optimization. This vulnerability bypasses capability checks that are properly implemented in other plugin functions.

📄 Description (Arabic)

إضافة Speedup Optimization لـ WordPress تحتوي على ثغرة في التحقق من الصلاحيات في دالة AJAX تسمى speedup01_ajax_enabled(). يمكن للمستخدمين المصرح لهم على مستوى المشترك أو أعلى تفعيل أو تعطيل وحدة تحسين الموقع دون التحقق من الصلاحيات المناسبة.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 30, 2026 05:54

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: medium

🏢 Affected Saudi Sectors

government telecom banking

🎯 MITRE ATT&CK Techniques

T1078.001 T1548

⚖️ Saudi Risk Score (AI)

5.0

/ 10.0

🔧 Remediation Steps (English)

Update the Speedup Optimization plugin to version 1.6.0 or later. Implement proper capability checks using current_user_can() with appropriate capabilities (e.g., manage_options) and add nonce verification to the speedup01_ajax_enabled() function. Restrict AJAX handlers to authenticated users with administrative privileges.

🔧 خطوات المعالجة (العربية)

قم بتحديث إضافة Speedup Optimization إلى الإصدار 1.6.0 أو أحدث. قم بتنفيذ فحوصات القدرات المناسبة باستخدام current_user_can() مع القدرات المناسبة (مثل manage_options) وأضف التحقق من nonce إلى دالة speedup01_ajax_enabled(). قيد معالجات AJAX للمستخدمين المصرح لهم فقط مع امتيازات إدارية.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 5.1.2

🔵 SAMA CSF

AC-2 AC-3

🟡 ISO 27001:2022

A.9.2.1 A.9.2.5

🔗 References & Sources 5

🔗

https://plugins.trac.wordpress.org/browser/speedup-optimization/tags/1.5.9/speedup-opti...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/speedup-optimization/tags/1.5.9/speedup-opti...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/speedup-optimization/trunk/speedup-optimizat...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/speedup-optimization/trunk/speedup-optimizat...

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/3f37c650-af0d-4474-9c1b-7f8d3...

security@wordfence.com

📊 CVSS Score

5.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score5.3

CWECWE-862

Exploit No

Patch ✗ No

Published 2026-03-21

Source Feed nvd

🇸🇦 Saudi Risk Score

5.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-862

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-4127

💬 Comments

Introduce Yourself

Sign In Required