Skip to main content

Asset CleanUp: Page Speed Booster CVE-2026-45212

| EUVDEUVD-2026-29454 MEDIUM
Missing Authorization (CWE-862)
2026-05-12 Patchstack GHSA-7h7f-98xc-35q3
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 11:32 vuln.today
CVE Published
May 12, 2026 - 11:02 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in Gabe Livan Asset CleanUp: Page Speed Booster wp-asset-clean-up allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Asset CleanUp: Page Speed Booster: from n/a through <= 1.4.0.3.

AnalysisAI

Unauthenticated remote attackers can trigger a denial-of-service condition against Asset CleanUp: Page Speed Booster (WordPress plugin) versions up to 1.4.0.3 by exploiting missing authorization controls that incorrectly configure access restrictions. The vulnerability allows attackers to perform actions intended for authenticated administrators without proper authentication, resulting in availability impact through the ability to modify or disable asset optimization features.

Technical ContextAI

Asset CleanUp: Page Speed Booster is a WordPress plugin that optimizes page loading performance by managing and cleaning up unnecessary assets (CSS, JavaScript, fonts). The vulnerability stems from CWE-862 (Missing Authorization), indicating that the plugin fails to implement proper access control checks before allowing sensitive operations. The plugin likely exposes administrative endpoints or AJAX handlers without verifying user roles or nonces, permitting unauthenticated WordPress visitors to trigger privileged functions. This is a common WordPress plugin vulnerability pattern where developers forget to add current_user_can() capability checks or omit wp_nonce_field() and wp_verify_nonce() validations.

RemediationAI

Update Asset CleanUp: Page Speed Booster to version 1.4.0.4 or later immediately; patch availability is expected from the vendor following Patchstack disclosure. Until patching is possible, implement network-level mitigation by restricting WordPress admin and AJAX endpoints using Web Application Firewall (WAF) rules to block POST requests to /wp-admin/admin-ajax.php referencing the plugin's action handlers-note this will disable all plugin features requiring admin requests and should only be temporary. Alternatively, use a WordPress security plugin (e.g., Wordfence, Sucuri) to add capability-based request blocking, verifying that all plugin functions check current_user_can('manage_options') before execution. Review WordPress user roles and disable plugin features for untrusted users via the plugin settings to limit the attack surface while awaiting patching.

Share

CVE-2026-45212 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy