The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the `receive_heartbeat()` function in `includes/class-wp-optimize-heartbeat.php` in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly invoking `Updraft_Smush_Manager_Commands` methods without verifying user capabilities, nonce tokens, or the allowed commands whitelist that the normal AJAX handler (`updraft_smush_ajax`) enforces. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-only Smush operations including reading log files (`get_smush_logs`), deleting all backup images (`clean_all_backup_images`), triggering bulk image processing (`process_bulk_smush`), and modifying Smush options (`update_smush_options`).
WP-Optimize plugin versions up to 4.5.0 contain missing capability checks in the heartbeat handler, allowing authenticated subscribers to execute admin-only Smush operations. This vulnerability enables unauthorized access to sensitive functions including log file reading, backup deletion, and image processing without proper permission verification.
ثغرة في إضافة WP-Optimize تسمح للمستخدمين المصرح لهم على مستوى المشترك بتنفيذ عمليات إدارية محظورة عبر معالج نبضات القلب. تتضمن العمليات المتاحة قراءة ملفات السجل وحذف جميع الصور الاحتياطية ومعالجة الصور بكميات كبيرة وتعديل خيارات Smush.
WP-Optimize plugin versions up to 4.5.0 contain missing capability checks in the heartbeat handler, allowing authenticated subscribers to execute admin-only Smush operations. This vulnerability enables unauthorized access to sensitive functions including log file reading, backup deletion, and image processing without proper permission verification.
Update WP-Optimize plugin to version 4.5.1 or later immediately. Review user roles and remove unnecessary Subscriber-level access from WordPress installations. Audit logs for unauthorized Smush operations and restore any deleted backup images from backups. Implement Web Application Firewall rules to monitor heartbeat endpoint activity.
قم بتحديث إضافة WP-Optimize إلى الإصدار 4.5.1 أو أحدث فوراً. راجع أدوار المستخدمين وأزل الوصول غير الضروري على مستوى المشترك. تدقيق السجلات للعمليات غير المصرح بها وإعادة تحميل الصور المحذوفة من النسخ الاحتياطية. تطبيق قواعد جدار الحماية لمراقبة نشاط نقطة نهاية نبضات القلب.