Unauthorized Data Access and Modification Vulnerability in RapidLoad Web Vitals Automatically Plugin
CVE-2024-11840

7.1HIGH

Key Information:

Vendor: Wordpress
Status: Rapidload – Optimize Web Vitals Automatically
Vendor: CVE Published:; 11 December 2024

Summary

The RapidLoad - Optimize Web Vitals Automatically plugin for WordPress presents a security risk due to a lack of capability checks on several critical functions such as uucss_data and update_rapidload_settings. This vulnerability affects all versions up to and including 2.4.2, enabling authenticated attackers with Subscriber-level access or higher to manipulate plugin settings and potentially execute SQL injection attacks. These security gaps could compromise the integrity and confidentiality of website data, highlighting the importance of timely updates and security assessments for users of the RapidLoad plugin.

Affected Version(s)

RapidLoad – Optimize Web Vitals Automatically * <= 2.4.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3202982/unus...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 11, 2024
Vulnerability Reserved
Nov 26, 2024

Credit

Lucio Sá