Ed's Font Awesome plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the eds_font_awesome shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. All versions up to and including 2.0 are affected, allowing authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript that persists in pages and executes for all users viewing those pages. No evidence of active exploitation in the wild (KEV status unknown), but the vulnerability is straightforward to exploit given contributor access and represents a persistent compromise vector.
The WPFAQBlock plugin for WordPress contains a Stored Cross-Site Scripting vulnerability in the 'class' parameter of the 'wpfaqblock' shortcode, affecting all versions up to and including 1.1. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that persists in pages and executes for all users visiting those pages. With a CVSS score of 6.4 and low attack complexity, this represents a moderate-to-significant risk for WordPress installations using this plugin, particularly on multi-author sites where contributor accounts may be compromised or malicious.
The Outgrow WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.1, affecting the 'id' attribute of the 'outgrow' shortcode due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access and above can inject arbitrary JavaScript that executes for all users viewing affected pages. With a CVSS score of 6.4 and moderate attack complexity, this vulnerability poses a real threat to WordPress sites using this plugin, as privilege escalation through stored XSS could enable further compromise.
The iVysilani Shortcode WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'width' shortcode attribute due to insufficient input sanitization and output escaping. All versions up to and including 3.0 are affected, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that persists in page content and executes for all subsequent site visitors. The vulnerability has been documented by Wordfence with proof-of-concept code available in the WordPress plugin repository, presenting a significant risk to WordPress installations relying on this plugin.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Post Flagger WordPress plugin for all versions up to and including 1.1, caused by insufficient input sanitization and output escaping in the 'flag' shortcode's user-supplied attributes. Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript code into pages, which executes for all users who view those pages. This vulnerability has a CVSS score of 6.4 (Medium) and is confirmed in the WordPress plugin repository; no evidence of active exploitation or public proof-of-concept is currently documented, but the straightforward nature of the vulnerability suggests exploitation potential.
The FuseDesk WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the fusedesk_newcase shortcode that fails to properly sanitize and escape the 'emailtext' attribute. Authenticated attackers with Contributor-level access or higher can inject malicious scripts into WordPress pages that execute for all subsequent visitors. The vulnerability affects all versions up to and including 6.8, with a CVSS score of 6.4 indicating moderate severity; no KEV or active exploitation data is currently documented, but the low attack complexity and network accessibility make this a meaningful concern for multi-user WordPress installations.
The Twitter Feeds plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'tweet_title' parameter of the TwitterFeeds shortcode due to insufficient input sanitization and output escaping. All versions up to and including 1.0.0 are affected, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that persists in pages and executes for all users who view the compromised content. With a CVSS score of 6.4 (Medium) and CWE-79 classification, this vulnerability poses a meaningful risk to WordPress sites using this plugin, particularly those with permissive user role assignments.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Logo Slider WordPress plugin (versions up to 4.9.0) that allows authenticated attackers with author-level privileges to inject malicious scripts through image alt text in the 'logo-slider' shortcode. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent script execution whenever users access pages containing the injected content. With a CVSS score of 6.4 and moderate real-world exploitability, this represents a credible threat to WordPress sites with multiple trusted authors.
The Schema Shortcode plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the `itemscope` shortcode that allows authenticated attackers with contributor-level access or higher to inject arbitrary malicious scripts into pages. These injected scripts execute whenever any user accesses the affected page, potentially compromising visitor sessions and data. With a CVSS score of 6.4 and confirmed vulnerability through Wordfence intelligence, this represents a meaningful risk to WordPress sites using this plugin, though exploitation requires authenticated access rather than unauthenticated exploitation.
The Multi Post Carousel by Category WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'slides' shortcode attribute due to insufficient input sanitization and output escaping in the post_slides_shortcode function. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript code into pages, and the malicious script will execute whenever any user visits the affected page. With a CVSS score of 6.4 and confirmed vulnerability across all versions up to and including 1.4, this represents a moderate-risk vulnerability primarily affecting WordPress sites using this plugin.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Integration with Hubspot Forms WordPress plugin (all versions up to 1.2.2) due to insufficient input sanitization and output escaping on shortcode attributes. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript into pages via the 'hubspotform' shortcode, which executes whenever users access the compromised page. While no public exploit-in-the-wild activity has been reported, the vulnerability is straightforward to exploit and poses a moderate risk given the low privilege requirement and broad attack surface in WordPress environments.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the MinhNhut Link Gateway WordPress plugin versions up to and including 3.6.1, where the 'linkgate' shortcode fails to properly sanitize and escape user-supplied attributes. Authenticated attackers with Contributor-level access or higher can inject malicious JavaScript that persists in pages and executes for all users who view those pages. The vulnerability has a CVSS 3.1 score of 6.4 with a network attack vector and low complexity, indicating practical exploitability by lower-privileged authenticated users.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Tour & Activity Operator Plugin for TourCMS (all versions up to 1.7.0) affecting WordPress installations. The vulnerability resides in the 'target' parameter of the tourcms_doc_link shortcode, where insufficient input sanitization and output escaping allows authenticated attackers with Contributor-level privileges and above to inject arbitrary JavaScript code that executes in the browsers of users visiting affected pages. With a CVSS score of 6.4 and network-based attack vector requiring only low privileges, this represents a moderate but exploitable risk to WordPress sites using this plugin.
The Simple Football Scoreboard plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'ytmr_fb_scoreboard' shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. All versions up to and including 1.0 are affected, allowing authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript that executes for all users viewing the compromised page. With a CVSS score of 6.4 and network-based attack vector requiring only low privileges, this represents a moderate but exploitable threat to WordPress sites using this plugin.
The WP NG Weather plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'ng-weather' shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. All versions up to and including 1.0.9 are affected, allowing authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript that executes when users visit pages containing the malicious shortcode. With a CVSS score of 6.4 and network-accessible attack vector, this vulnerability poses a moderate risk to WordPress installations using this plugin.
The rexCrawler WordPress plugin contains a Reflected Cross-Site Scripting (XSS) vulnerability in the search-pattern tester page that allows unauthenticated attackers to inject arbitrary web scripts via inadequately sanitized 'url' and 'regex' parameters. Affected versions are up to and including 1.0.15 (CPE: cpe:2.3:a:larsdrasmussen:rexcrawler:*:*:*:*:*:*:*:*), with exploitation requiring social engineering to trick administrators into clicking a malicious link. This vulnerability is limited to WordPress multisite installations or sites where the unfiltered_html capability has been disabled, and carries a CVSS v3.1 score of 6.1 with an AV:N/AC:L/PR:N/UI:R/S:C profile indicating network-based exploitation with user interaction required.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the Comment Genius WordPress plugin versions up to 1.2.5, where the PHP_SELF server variable is insufficiently sanitized and escaped in output, allowing unauthenticated attackers to inject arbitrary JavaScript code. Affected users are WordPress site administrators and visitors who can be tricked into clicking malicious links. The vulnerability has a CVSS score of 6.1 (Medium) with network accessibility and low complexity, though it requires user interaction to execute.
The WP-WebAuthn WordPress plugin contains an unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in the wwa_auth AJAX endpoint that allows attackers to inject arbitrary JavaScript into the plugin's log page. Affected are all versions up to and including 1.3.4 of the plugin (identified via CPE cpe:2.3:a:axton:wp-webauthn:*:*:*:*:*:*:*:*), which is exploitable only when logging is enabled in plugin settings. The vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes, enabling persistent XSS execution whenever administrators or authorized users access the logging interface.
The itsukaita WordPress plugin contains a Reflected Cross-Site Scripting (XSS) vulnerability in the 'day_from' and 'day_to' parameters due to insufficient input sanitization and output escaping. All versions up to and including 0.1.2 are affected, allowing unauthenticated attackers to inject arbitrary web scripts that execute in administrator browsers if they click a malicious link. With a CVSS score of 6.1 (Medium) and a requirement for user interaction (UI:R), this vulnerability poses a moderate but real threat to WordPress installations using this plugin.
The Alfie - Feed Plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'naam' parameter of the alfie_option_page() function, affecting all versions up to and including 1.2.1. The vulnerability stems from missing nonce validation combined with insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject malicious scripts that persist in the plugin's database and execute when users view affected pages. An attacker must successfully social engineer a site administrator into clicking a malicious link, but once exploited, the payload executes with the privileges of any user accessing the compromised page, making this a moderate-risk vulnerability with a CVSS score of 6.1.
PbootCMS versions up to 3.2.12 contain an incomplete blacklist bypass vulnerability in the file upload functionality (core/function/file.php) that allows authenticated attackers to upload dangerous files by manipulating the blacklist parameter. An attacker with login credentials can bypass file type restrictions to upload arbitrary files, potentially achieving remote code execution or other malicious outcomes. A public proof-of-concept exploit is available on GitHub, increasing the practical risk of exploitation.
A code injection vulnerability exists in Foundation Agents MetaGPT up to version 0.8.1, specifically in the DataInterpreter component's write_analysis_code.py file, allowing authenticated attackers to inject and execute arbitrary code remotely. The vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) with a CVSS score of 6.3 and requires low privileges and no user interaction. A public proof-of-concept exploit is available, indicating active research and potential real-world exploitation risk.
A code injection vulnerability exists in Foundation Agents MetaGPT versions up to 0.8.1 within the code_generate function of metagpt/ext/aflow/scripts/operator.py, allowing authenticated remote attackers to execute arbitrary code. The vulnerability is classified as CWE-94 (improper control of generation of code) and carries a CVSS score of 6.3 with network-based attack vector requiring low privileges. A public exploit has been disclosed on GitHub, and the vendor has not responded to early disclosure attempts, elevating the practical risk despite the moderate CVSS rating.
A code injection vulnerability exists in vanna-ai vanna up to version 2.0.2, specifically in the exec function of the /src/vanna/legacy file. This authenticated remote code injection allows attackers with login credentials to execute arbitrary code with limited impact on confidentiality, integrity, and availability. A proof-of-concept exploit has been publicly disclosed on GitHub, and the vendor has not responded to early disclosure notifications, making this an active concern for deployed instances.
PbootCMS versions up to 3.2.12 contain an improper access control vulnerability in the Backend UserController component that allows authenticated attackers to manipulate the Field argument and bypass access restrictions. An attacker with login credentials can exploit this to gain unauthorized access to sensitive user data or system functions. A proof-of-concept exploit has been publicly disclosed on GitHub and the vulnerability carries a moderate CVSS score of 6.3 with documented exploitation capability.
A reflected cross-site scripting (XSS) vulnerability exists in PbootCMS versions up to 3.2.12 in the alert_location function of the MemberController.php file, where the backurl parameter is not properly sanitized before output. An attacker can craft a malicious URL containing JavaScript code that will execute in a victim's browser when they click the link, potentially leading to session hijacking, credential theft, or malware distribution. A public proof-of-concept exploit is available on GitHub, increasing the risk of active exploitation.
SQL injection in vanna-ai vanna versions up to 2.0.2 allows authenticated remote attackers to manipulate the ask function in vanna/legacy/base/base.py, potentially enabling data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
The Post Snippits WordPress plugin for all versions up to and including 1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation on settings page handlers that manage snippet creation, modification, and deletion. Unauthenticated attackers can exploit this by crafting malicious requests that, when clicked by an administrator, allow injection of arbitrary scripts and modification of plugin settings, potentially leading to site compromise. The vulnerability has a CVSS score of 6.1 with a network attack vector requiring user interaction.
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control mechanism for direct message pairing policies, allowing attackers to reuse pairing approvals across multiple accounts in multi-account deployments. An authenticated attacker (PR:L) who has been approved as a sender in one account can be automatically accepted in another account without explicit re-approval, effectively bypassing authorization boundaries between accounts. The vulnerability has a CVSS score of 3.7 with medium attack complexity and low confidentiality and integrity impacts; no active exploitation in the wild (KEV) or public proof-of-concept has been confirmed, but patches are available from the vendor.
SQL injection in apconw Aix-DB through the terminology_retriever.py module allows local attackers to manipulate the Description argument and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Affected versions include Aix-DB up to 1.2.3.
The The Contact Form, Survey, Quiz & Popup Form Builder - ARForms plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.2. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A Stored Cross-Site Scripting vulnerability exists in the Multi Functional Flexi Lightbox WordPress plugin (versions up to and including 1.2) that allows authenticated administrators to inject arbitrary JavaScript code via the arv_lb[message] parameter. The vulnerability stems from insufficient input sanitization in the arv_lb_options_val() callback function and missing output escaping in the genLB() function, enabling malicious scripts to execute in the browsers of any user viewing pages or posts with the lightbox enabled. With a CVSS score of 5.5 and requiring high-privilege administrator access, this represents a moderate but real risk primarily applicable to compromised or malicious admin accounts.
The Canto plugin for WordPress (versions up to 3.1.1) contains a critical missing authorization vulnerability in the copy-media.php file and related endpoints that allows unauthenticated attackers to upload arbitrary files to the WordPress uploads directory. The vulnerability stems from multiple PHP files being directly accessible without authentication, nonce validation, or authorization checks, while also accepting attacker-controlled parameters for API endpoints and domain configuration. An attacker can exploit this to upload malicious files (within WordPress MIME type constraints) or redirect legitimate file operations to attacker-controlled infrastructure, potentially leading to remote code execution or site compromise.
The Smarter Analytics WordPress plugin (all versions up to 2.0) contains an authentication bypass vulnerability that allows unauthenticated attackers to reset plugin configuration and delete all analytics settings via the 'reset' parameter in the global scope of smarter-analytics.php. This is a missing authentication and capability check vulnerability (CWE-862) with a CVSS score of 5.3, classified as moderate severity with low attack complexity and no authentication required. The vulnerability is publicly documented via Wordfence threat intelligence with direct references to the vulnerable code in the WordPress plugin repository, though no active exploitation in the wild or public proof-of-concept has been widely reported.
The Appmax WordPress plugin versions up to 1.0.3 contain an improper input validation vulnerability in its public REST API webhook endpoint at /webhook-system that fails to authenticate, verify signatures, or validate the authenticity of incoming webhook requests. Unauthenticated attackers can exploit this by crafting malicious webhook payloads to modify existing WooCommerce order statuses, create arbitrary new orders and products with attacker-controlled data, and inject arbitrary metadata into orders. With a CVSS score of 5.3 (medium severity), an CVSS vector indicating network accessibility with low attack complexity and no authentication required, and confirmed vulnerability references in the official WordPress plugin repository, this vulnerability poses a significant integrity risk to e-commerce sites using the affected plugin.
The Build App Online WordPress plugin contains an authentication bypass vulnerability in the 'build-app-online-update-vendor-product' AJAX action that allows unauthenticated attackers to modify post metadata without authorization. Affected versions are up to and including 1.0.23 as confirmed via CPE (cpe:2.3:a:hakeemnala:build_app_online). Attackers can orphan posts by setting the post_author field to 0 or, if authenticated, claim ownership of arbitrary posts by reassigning authorship, resulting in unauthorized content modification with medium integrity impact (CVSS 5.3).
The WP-Chatbot for Messenger WordPress plugin versions up to 4.9 contains an authorization bypass vulnerability that allows unauthenticated attackers to overwrite critical chatbot configuration options, specifically the MobileMonkey API token and company ID. This enables attackers to hijack the site's chatbot functionality and redirect visitor conversations to attacker-controlled accounts without requiring any authentication or user interaction. The vulnerability has a CVSS score of 5.3 with a network attack vector and no privilege requirements, making it readily exploitable by any remote attacker.
The Punnel - Landing Page Builder WordPress plugin contains a critical missing authorization vulnerability in the save_config() AJAX function that allows authenticated attackers with Subscriber-level privileges to overwrite the plugin's configuration and API key without proper capability checks or nonce verification. Combined with an insecure public API endpoint (sniff_requests()) that only validates requests via token comparison, attackers can subsequently create, update, or delete arbitrary posts, pages, and products on affected WordPress installations. The vulnerability affects all versions up to and including 1.3.1 and has been documented by Wordfence with publicly available code references.
The REST API TO MiniProgram plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated attackers with Subscriber-level access to modify arbitrary users' WeChat shop metadata by exploiting a permission validation flaw. The vulnerability affects all versions up to and including 5.1.2, where the permission callback validates one parameter (openid) but the actual modification function uses a different attacker-controlled parameter (userid) without cross-validation. Attackers can exploit this via the REST API to alter storeinfo, storeappid, and storename fields for any user account, potentially disrupting store operations or impersonating legitimate shop owners.
The e-shot form builder plugin for WordPress contains a sensitive information exposure vulnerability in the eshot_form_builder_get_account_data() AJAX handler that is accessible to any authenticated user without capability checks or nonce verification. An attacker with Subscriber-level access or higher can extract the e-shot API token and subaccount information by calling this AJAX endpoint, potentially compromising the victim's e-shot platform account. The vulnerability affects all versions up to and including 1.0.2, and while this CVE does not appear in the KEV catalog or have public proof-of-concept code readily available, the CVSS score of 5.3 reflects moderate risk due to the low attack complexity and lack of user interaction required.
The Review Map by RevuKangaroo WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in its plugin settings that allows authenticated administrators to inject arbitrary JavaScript code through insufficient input sanitization and output escaping. This vulnerability affects all versions up to and including 1.7 and only manifests in WordPress multisite installations or single-site installations where the unfiltered_html capability has been disabled. Once injected, the malicious script executes whenever any user accesses the affected page, making this a persistent XSS attack vector that can compromise user sessions and sensitive data.
The Weaver Show Posts plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'add_class' parameter due to insufficient input sanitization and output escaping. Authenticated attackers with Administrator-level access can inject arbitrary web scripts that execute when users access injected pages, with particular impact in multisite installations where Administrators lack the unfiltered_html capability. A proof-of-concept demonstration exists, though the CVSS 4.4 score reflects the high privilege requirement needed for exploitation.
The Reward Video Ad for WordPress plugin (all versions up to 1.6) contains a Stored Cross-Site Scripting (XSS) vulnerability in its admin settings due to insufficient input sanitization and output escaping on fields including Account ID, Message before the video, and color parameters. This allows authenticated administrators to inject arbitrary JavaScript that executes whenever any user accesses an affected page, potentially compromising site visitors. The vulnerability requires Administrator-level access to exploit, limiting the attack surface to high-privilege accounts, though once injected, the malicious scripts execute with no further user interaction required.
The Wikilookup plugin for WordPress versions up to 1.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'Popup Width' setting due to insufficient input sanitization and output escaping. Authenticated attackers with Administrator-level access can inject arbitrary JavaScript that executes for all users viewing affected pages, but only in multi-site installations or where the unfiltered_html capability has been disabled. With a CVSS score of 4.4 and high attack complexity requirements, this represents a low-to-moderate real-world threat that requires both administrative access and specific WordPress configurations to exploit.
The Comment SPAM Wiper plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'API Key' setting that allows authenticated administrators to inject arbitrary JavaScript code. This vulnerability affects multi-site WordPress installations and those with the unfiltered_html capability disabled, impacting versions up to and including 1.2.1. While the CVSS score of 4.4 is moderate and exploitation requires high-privilege access (Administrator level), the stored nature of the XSS means injected scripts execute for all users accessing affected pages, creating persistent exposure.
The Mandatory Field plugin for WordPress versions up to 1.6.8 contains a Stored Cross-Site Scripting (XSS) vulnerability in its admin settings due to insufficient input sanitization and output escaping. Authenticated administrators can inject arbitrary JavaScript that executes for all users accessing affected pages, but exploitation is limited to multi-site WordPress installations or those with unfiltered_html disabled. With a CVSS score of 4.4 and high attack complexity, this represents a moderate-severity privilege escalation risk for WordPress administrators seeking to inject malicious scripts; no public POC or active exploitation has been indicated in KEV data.
The Survey plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in administrative settings due to insufficient input sanitization and output escaping, affecting all versions up to and including 1.1. Authenticated attackers with administrator-level permissions can inject arbitrary JavaScript code that executes when users access affected pages, though this is restricted to multi-site installations or those with unfiltered_html disabled. With a CVSS score of 4.4 and high attack complexity requiring administrator privileges, the real-world risk is moderate; no public exploit code or KEV status has been indicated, making this a lower-priority remediation compared to critical vulnerabilities.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Ricerca - advanced search WordPress plugin affecting all versions up to and including 1.1.12, caused by insufficient input sanitization and output escaping in the plugin's settings interface. Only authenticated administrators on multi-site WordPress installations or those with unfiltered_html disabled are able to inject malicious scripts that execute for all users viewing affected pages. The CVSS score of 4.4 reflects the requirement for high-privilege administrative access and specific configuration conditions, though the impact remains meaningful given the scope of affected multi-site deployments.
The Group Chat & Video Chat by AtomChat WordPress plugin (versions up to 1.1.7) contains a missing capability check vulnerability in the 'atomchat_update_auth_ajax' and 'atomchat_update_layout_ajax' AJAX handlers, allowing authenticated Subscriber-level users and above to arbitrarily modify plugin options including API keys and authentication credentials. With a CVSS score of 5.3 and network-based attack vector requiring only authentication (not admin privileges), this represents a medium-severity privilege escalation and configuration tampering issue affecting WordPress installations using this plugin. No evidence of active exploitation in the wild has been documented at this time, though the straightforward nature of the vulnerability (missing capability checks) suggests proof-of-concept code could be easily developed.
The Speedup Optimization plugin for WordPress contains a missing authorization vulnerability in the `speedup01_ajax_enabled()` AJAX handler that fails to verify user capabilities or nonce tokens, allowing authenticated attackers with Subscriber-level privileges to enable or disable the site's optimization module. Affected versions include all releases up to and including 1.5.9, as documented by Wordfence. While the CVSS score of 5.3 is moderate, the vulnerability represents a clear authorization bypass that could allow low-privileged attackers to degrade site performance or disable security-relevant optimization features.