Speedup Optimization Plugin for WordPress Can Be Hacked by Authorized Users

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

Speedup Optimization Plugin for WordPress Can Be Hacked by Authorized Users

CVE-2026-4127

Summary

The Speedup Optimization plugin for WordPress is vulnerable to unauthorized actions by users with Subscriber-level access and above. This means that attackers can enable or disable the plugin's optimization module, which could slow down or compromise your website. Update the plugin to a version higher than 1.5.9 to fix this issue.

Original title

Original description

The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The `speedup01_ajax_enabled()` function, which handles the `wp_ajax_speedup01_enabled` AJAX action, does not perform any capability check via `current_user_can()` and also lacks nonce verification. This is in contrast to other AJAX handlers in the same plugin (e.g., `speedup01_ajax_install_iox` and `speedup01_ajax_delete_cache_file`) which properly check for `install_plugins` and `manage_options` capabilities respectively. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable the site's optimization module by sending a POST request to admin-ajax.

nvd CVSS3.1 5.3

Vulnerability type

CWE-862 Missing Authorization

Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026