Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in Gabe Livan Asset CleanUp: Page Speed Booster wp-asset-clean-up allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Asset CleanUp: Page Speed Booster: from n/a through <= 1.4.0.3.
AnalysisAI
Unauthenticated remote attackers can trigger a denial-of-service condition against Asset CleanUp: Page Speed Booster (WordPress plugin) versions up to 1.4.0.3 by exploiting missing authorization controls that incorrectly configure access restrictions. The vulnerability allows attackers to perform actions intended for authenticated administrators without proper authentication, resulting in availability impact through the ability to modify or disable asset optimization features.
Technical ContextAI
Asset CleanUp: Page Speed Booster is a WordPress plugin that optimizes page loading performance by managing and cleaning up unnecessary assets (CSS, JavaScript, fonts). The vulnerability stems from CWE-862 (Missing Authorization), indicating that the plugin fails to implement proper access control checks before allowing sensitive operations. The plugin likely exposes administrative endpoints or AJAX handlers without verifying user roles or nonces, permitting unauthenticated WordPress visitors to trigger privileged functions. This is a common WordPress plugin vulnerability pattern where developers forget to add current_user_can() capability checks or omit wp_nonce_field() and wp_verify_nonce() validations.
RemediationAI
Update Asset CleanUp: Page Speed Booster to version 1.4.0.4 or later immediately; patch availability is expected from the vendor following Patchstack disclosure. Until patching is possible, implement network-level mitigation by restricting WordPress admin and AJAX endpoints using Web Application Firewall (WAF) rules to block POST requests to /wp-admin/admin-ajax.php referencing the plugin's action handlers-note this will disable all plugin features requiring admin requests and should only be temporary. Alternatively, use a WordPress security plugin (e.g., Wordfence, Sucuri) to add capability-based request blocking, verifying that all plugin functions check current_user_can('manage_options') before execution. Review WordPress user roles and disable plugin features for untrusted users via the plugin settings to limit the attack surface while awaiting patching.
More in Asset Cleanup
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29454
GHSA-7h7f-98xc-35q3