cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2023-2113,https://securityvulnerability.io/vulnerability/CVE-2023-2113,Autoptimize < 3.1.7 - Admin+ Stored Cross-Site Scripting via Settings Import,"The Autoptimize WordPress plugin before 3.1.7 does not sanitise and escape the settings imported from a previous export, allowing high privileged users (such as an administrator) to inject arbitrary javascript into the admin panel, even when the unfiltered_html capability is disabled, such as in a multisite setup.",Wordpress,Autoptimize,4.8,MEDIUM,0.000590000010561198,false,,false,false,true,true,false,false,2023-05-30T08:15:00.000Z,0
CVE-2023-1472,https://securityvulnerability.io/vulnerability/CVE-2023-1472,Cross-Site Request Forgery in RapidLoad Power-Up for Autoptimize Plugin by WordPress,"The RapidLoad Power-Up for Autoptimize plugin for WordPress contains a vulnerability that exposes the plugin to Cross-Site Request Forgery (CSRF). This weakness arises from inadequate or incorrect nonce validation when handling AJAX requests. As a result, unauthenticated attackers can exploit this flaw to execute a range of functions by tricking an authorized admin into clicking on a malicious link. These functions may include resetting the API key, accessing or deleting log files, and compromise cache management, posing a significant security risk for affected sites.",Wordpress,RapidLoad Power-Up for Autoptimize,6.3,MEDIUM,0.0006600000197067857,false,,false,false,false,,false,false,2023-03-17T15:15:00.000Z,0
CVE-2023-1337,https://securityvulnerability.io/vulnerability/CVE-2023-1337,Unauthorized Data Loss Vulnerability in RapidLoad Power-Up for Autoptimize Plugin,"The RapidLoad Power-Up for Autoptimize plugin for WordPress is affected by a vulnerability that allows authenticated attackers with subscriber-level access to perform unauthorized actions. Specifically, there is a missing capability check on the clear_uucss_logs function, which can lead to the deletion of critical plugin log files. This presents a significant risk of data loss for users relying on the plugin for performance optimization.",Wordpress,RapidLoad Power-Up for Autoptimize,4.3,MEDIUM,0.0005000000237487257,false,,false,false,true,true,false,false,2023-03-10T20:15:00.000Z,0
CVE-2023-1340,https://securityvulnerability.io/vulnerability/CVE-2023-1340,Cross-Site Request Forgery in RapidLoad Power-Up for Autoptimize by WordPress,"The RapidLoad Power-Up for Autoptimize plugin for WordPress suffers from a Cross-Site Request Forgery vulnerability due to inadequate nonce validation in the clear_uucss_logs function. This flaw allows unauthenticated attackers to clear plugin logs by tricking a legitimate site administrator into executing a request, potentially compromising important logging information.",Wordpress,RapidLoad Power-Up for Autoptimize,4.3,MEDIUM,0.0006500000017695129,false,,false,false,false,,false,false,2023-03-10T20:15:00.000Z,0
CVE-2023-1341,https://securityvulnerability.io/vulnerability/CVE-2023-1341,Cross-Site Request Forgery Vulnerability in RapidLoad Power-Up for Autoptimize Plugin by WordPress,"The RapidLoad Power-Up for Autoptimize plugin for WordPress is susceptible to a Cross-Site Request Forgery, allowing unauthenticated attackers to disable caching. This vulnerability arises from inadequate nonce validation in the ajax_deactivate function, which could enable attackers to deceive site administrators into executing harmful actions by merely clicking a manipulated link.",Wordpress,RapidLoad Power-Up for Autoptimize,4.3,MEDIUM,0.0006500000017695129,false,,false,false,false,,false,false,2023-03-10T20:15:00.000Z,0
CVE-2023-1342,https://securityvulnerability.io/vulnerability/CVE-2023-1342,Cross-Site Request Forgery in RapidLoad Power-Up for Autoptimize Plugin by WordPress,"The RapidLoad Power-Up for Autoptimize plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) due to inadequate nonce validation in its ucss_connect function. This vulnerability enables unauthenticated attackers to take advantage of unsuspecting site administrators by tricking them into executing actions, such as clicking a malicious link, thereby allowing attackers to connect the site to a new license key without authorization.",Wordpress,RapidLoad Power-Up for Autoptimize,4.3,MEDIUM,0.0006500000017695129,false,,false,false,false,,false,false,2023-03-10T20:15:00.000Z,0
CVE-2023-1343,https://securityvulnerability.io/vulnerability/CVE-2023-1343,Cross-Site Request Forgery in RapidLoad Power-Up for Autoptimize Plugin by WordPress,"The RapidLoad Power-Up for Autoptimize plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) due to inadequate nonce validation in the attach_rule function. This vulnerability allows unauthenticated attackers to manipulate the plugin's cache if they can trick a legitimate administrator into executing an action, such as clicking a malicious link. This lack of proper validation can lead to unauthorized actions being performed on behalf of the user, potentially compromising site integrity and functionality.",Wordpress,RapidLoad Power-Up for Autoptimize,4.3,MEDIUM,0.0006500000017695129,false,,false,false,false,,false,false,2023-03-10T20:15:00.000Z,0
CVE-2023-1344,https://securityvulnerability.io/vulnerability/CVE-2023-1344,Cross-Site Request Forgery Vulnerability in RapidLoad Power-Up for Autoptimize Plugin by WordPress,"The RapidLoad Power-Up for Autoptimize plugin for WordPress contains a security flaw due to inadequate nonce validation in the uucss_update_rule function. This vulnerability allows unauthorized attackers to exploit the plugin's cache manipulation capabilities. By deceiving a site administrator into executing a crafted action, such as clicking an illegitimate link, attackers can potentially compromise site integrity and alter caching behaviors without necessary authorization.",Wordpress,RapidLoad Power-Up for Autoptimize,4.3,MEDIUM,0.0006500000017695129,false,,false,false,false,,false,false,2023-03-10T20:15:00.000Z,0
CVE-2023-1345,https://securityvulnerability.io/vulnerability/CVE-2023-1345,Cross-Site Request Forgery Vulnerability in RapidLoad Power-Up for Autoptimize Plugin,"The RapidLoad Power-Up for Autoptimize plugin for WordPress is susceptible to Cross-Site Request Forgery due to inadequate nonce validation in the queue_posts function. This flaw allows unauthenticated attackers to manipulate the plugin's cache by tricking site administrators into executing actions via deceptive requests, potentially compromising the site’s integrity.",Wordpress,RapidLoad Power-Up for Autoptimize,4.3,MEDIUM,0.0006500000017695129,false,,false,false,false,,false,false,2023-03-10T20:15:00.000Z,0
CVE-2023-1346,https://securityvulnerability.io/vulnerability/CVE-2023-1346,Cross-Site Request Forgery Vulnerability in RapidLoad Power-Up for Autoptimize by WordPress,"The RapidLoad Power-Up for Autoptimize plugin for WordPress suffers from a vulnerability that allows unauthenticated attackers to exploit missing or improperly configured nonce validation in its clear_page_cache function. This flaw can enable attackers to clear the plugin's cache by tricking a site administrator into clicking on a malicious link. The vulnerability affects all versions up to and including 1.7.1, potentially compromising the integrity of the website's caching system.",Wordpress,RapidLoad Power-Up for Autoptimize,4.3,MEDIUM,0.0006500000017695129,false,,false,false,false,,false,false,2023-03-10T20:15:00.000Z,0
CVE-2023-1333,https://securityvulnerability.io/vulnerability/CVE-2023-1333,Unauthorized Data Loss in Autoptimize Plugin for WordPress,"The RapidLoad Power-Up for the Autoptimize plugin for WordPress is susceptible to unauthorized data deletion due to a lack of capability checks in the clear_page_cache function. This vulnerability affects versions up to and including 1.7.1, allowing authenticated attackers with subscriber-level access to delete the plugin's cache, potentially impacting site performance and user experience.",Wordpress,RapidLoad Power-Up for Autoptimize,4.3,MEDIUM,0.0005000000237487257,false,,false,false,false,,false,false,2023-03-10T20:15:00.000Z,0
CVE-2023-1334,https://securityvulnerability.io/vulnerability/CVE-2023-1334,Unauthorized Cache Modification in RapidLoad Power-Up for Autoptimize Plugin for WordPress,"The RapidLoad Power-Up for Autoptimize plugin for WordPress suffers from a vulnerability that enables unauthorized cache alterations due to a lack of a capability check in the queue_posts function. This flaw allows authenticated users with only subscriber-level access to manipulate the plugin's cache, potentially leading to unauthorized changes in site content and performance.",Wordpress,RapidLoad Power-Up for Autoptimize,4.3,MEDIUM,0.0005000000237487257,false,,false,false,false,,false,false,2023-03-10T20:15:00.000Z,0
CVE-2023-1335,https://securityvulnerability.io/vulnerability/CVE-2023-1335,Unauthorized Plugin Settings Update in RapidLoad Power-Up for Autoptimize by WordPress,"The RapidLoad Power-Up for Autoptimize plugin for WordPress has a security flaw that allows unauthorized users to update plugin settings because of a missing capability check in the ucss_connect function. This vulnerability affects version 1.7.1 and earlier, enabling attackers with at least subscriber-level access to connect a new license key to the site, potentially leading to unauthorized changes and access.",Wordpress,RapidLoad Power-Up for Autoptimize,4.3,MEDIUM,0.0005000000237487257,false,,false,false,false,,false,false,2023-03-10T20:15:00.000Z,0
CVE-2023-1336,https://securityvulnerability.io/vulnerability/CVE-2023-1336,Unauthorized Access in RapidLoad Power-Up for Autoptimize Plugin for WordPress,"The RapidLoad Power-Up for Autoptimize plugin for WordPress contains a security flaw allowing authenticated attackers with subscriber-level access to perform an unauthorized settings update. This occurs due to a missing capability check in the ajax_deactivate function, which can lead to disabling the caching functionality of the plugin. As a result, websites utilizing this plugin may experience performance degradation and increased load times if the vulnerability is exploited.",Wordpress,RapidLoad Power-Up for Autoptimize,4.3,MEDIUM,0.0005000000237487257,false,,false,false,false,,false,false,2023-03-10T20:15:00.000Z,0
CVE-2023-1338,https://securityvulnerability.io/vulnerability/CVE-2023-1338,Unauthorized Cache Modification in Autoptimize Plugin for WordPress,"The RapidLoad Power-Up for Autoptimize plugin for WordPress suffers from a vulnerability that enables unauthorized cache modification. This issue arises from a missing capability check in the attach_rule function, affecting versions up to and including 1.7.1. Authenticated users with subscriber-level access can exploit this flaw to alter cache rules, potentially compromising website functionality and security.",Wordpress,RapidLoad Power-Up for Autoptimize,4.3,MEDIUM,0.0005000000237487257,false,,false,false,false,,false,false,2023-03-10T20:15:00.000Z,0
CVE-2023-1339,https://securityvulnerability.io/vulnerability/CVE-2023-1339,Unauthorized Settings Update in RapidLoad Power-Up for Autoptimize Plugin by WordPress,"The RapidLoad Power-Up for Autoptimize plugin for WordPress has a vulnerability that allows authenticated attackers with subscriber-level access to update caching rules through the uucss_update_rule function. This occurs due to a missing capability check in versions up to and including 1.7.1, potentially leading to unauthorized modifications that can affect site performance.",Wordpress,RapidLoad Power-Up for Autoptimize,4.3,MEDIUM,0.0005000000237487257,false,,false,false,false,,false,false,2023-03-10T20:15:00.000Z,0
CVE-2022-4057,https://securityvulnerability.io/vulnerability/CVE-2022-4057,Autoptimize < 3.1.0 - Sensitive Data Disclosure,The Autoptimize WordPress plugin before 3.1.0 uses an easily guessable path to store plugin's exported settings and logs.,Wordpress,Autoptimize,5.3,MEDIUM,0.001550000044517219,false,,false,false,false,,false,false,2023-01-02T21:49:37.650Z,0
CVE-2022-2635,https://securityvulnerability.io/vulnerability/CVE-2022-2635,Autoptimize < 3.1.1 - Admin+ Stored Cross Site Scripting,"The Autoptimize WordPress plugin before 3.1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)",Wordpress,Autoptimize,4.8,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2022-09-16T08:40:30.000Z,0
CVE-2021-24378,https://securityvulnerability.io/vulnerability/CVE-2021-24378,Autoptimize < 2.7.8 - Authenticated Stored XSS via File Upload,"The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute when a victim visits index.html inside the plugin directory.",Wordpress,Autoptimize,4.8,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2021-06-21T19:18:24.000Z,0
CVE-2021-24377,https://securityvulnerability.io/vulnerability/CVE-2021-24377,Autoptimize < 2.7.8 - Race Condition leading to RCE,"The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on the disk but not yet removed. It is a bypass of CVE-2020-24948.",Wordpress,Autoptimize,8.1,HIGH,0.008419999852776527,false,,false,false,false,,false,false,2021-06-21T19:18:23.000Z,0
CVE-2021-24376,https://securityvulnerability.io/vulnerability/CVE-2021-24376,"Autoptimize < 2.7.8 - Arbitrary File Upload via ""Import Settings""","The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the ""Import Settings"" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the ""Import Settings"" functionality to achieve Remote Code Execution.",Wordpress,Autoptimize,9.8,CRITICAL,0.010870000347495079,false,,false,false,false,,false,false,2021-06-21T19:18:22.000Z,0
CVE-2021-24332,https://securityvulnerability.io/vulnerability/CVE-2021-24332,Autoptimize < 2.8.4 - Authenticated Stored Cross-Site Scripting (XSS),"The Autoptimize WordPress plugin before 2.8.4 was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues",Wordpress,Autoptimize,4.8,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2021-05-24T10:58:05.000Z,0
CVE-2020-24948,https://securityvulnerability.io/vulnerability/CVE-2020-24948,,"The ao_ccss_import AJAX call in Autoptimize Wordpress Plugin 2.7.6 does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to remote command execution.",Wordpress,Autoptimize,7.2,HIGH,0.5463100075721741,false,,false,false,false,,false,false,2020-09-03T14:06:10.000Z,0