WP-Optimize Missing Capability Checks in Heartbeat Function Allow Unauthorized Access to Admin-Only Features
Vulnerability
A vulnerability exists in the WP-Optimize plugin for WordPress, in all versions through 4.5.0. The issue arises from the 'receive_heartbeat()' function, which lacks proper capability checks. This oversight allows authenticated users with Subscriber-level access and above to access restricted Smush operations. The Heartbeat handler calls methods from 'Updraft_Smush_Manager_Commands' without verifying user capabilities, nonce tokens, or adhering to the commands whitelist enforced by the standard AJAX handler. As a result, affected users can read Smush log files, delete backup images, initiate bulk image processing, and alter Smush settings.
Impact
Exploitation of this vulnerability enables unauthorized access to admin-only Smush functions, including log file access, bulk image processing, deletion of backup images, and modification of Smush options.
Remediation
Users are advised to update the WP-Optimize plugin to version 4.5.1 or a later patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.