SpeedyCache Vulnerability – Missing Authorization to Plugin Options Update – CVE-2023-6598 | WordPress Plugin Vulnerability Report

Plugin Name: SpeedyCache

Key Information:

  • Software Type: Plugin
  • Software Slug: speedycache
  • Software Status: Active
  • Software Author: softaculous
  • Software Downloads: 861,450
  • Active Installs: 100,000
  • Last Updated: December 16, 2023
  • Patched Versions: 1.1.4
  • Affected Versions: <= 1.1.3

Vulnerability Details:

  • Name: SpeedyCache <= 1.1.3 - Missing Authorization to Plugin Options Update
  • Type: Missing Authorization
  • CVE: CVE-2023-6598
  • CVSS Score: 4.3 (Medium)
  • Publicly Published: December 16, 2023
  • Researcher: Lucio Sá
  • Description: The SpeedyCache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the speedycache_save_varniship, speedycache_img_update_settings, speedycache_preloading_add_settings, and speedycache_preloading_delete_resource functions in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to update plugin options.


The SpeedyCache for WordPress has a vulnerability in versions up to and including 1.1.3 that allows for unauthorized data modification due to missing access controls. This vulnerability has been patched in version 1.1.4.

Detailed Overview:

The researcher Lucio Sá discovered that several functions in the SpeedyCache plugin did not properly check for user capabilities before allowing changes to plugin options. Specifically, the functions speedycache_save_varniship, speedycache_img_update_settings, speedycache_preloading_add_settings, and speedycache_preloading_delete_resource were found to be vulnerable. This means that any authenticated user, even at the lowest subscriber access level, could update configuration options and settings within the plugin. This poses a security risk of unauthorized access and data modification. The vulnerability has been addressed by adding proper capability checks in version 1.1.4 of the plugin. All users are advised to update as allowing unauthorized changes could lead to issues with site caching and performance.

Advice for Users:

  1. Immediate Action: Update to version 1.1.4 or higher immediately.
  2. Check for Signs of Vulnerability: Review your plugin settings and configuration for any unexpected changes, which could indicate exploitation of this vulnerability.
  3. Alternate Plugins: Consider alternative caching plugins like WP Fastest Cache or W3 Total Cache as a precaution.
  4. Stay Updated: Enable automatic updates in WordPress to ensure plugins stay updated to latest secure versions.


The quick response by SpeedyCache developers to patch this vulnerability shows the importance of rapid security updates. Users should run version 1.1.4 or newer as soon as possible to prevent any potential unauthorized access risks.




Detailed Report:

Staying on top of WordPress plugin updates isn’t always the most glamorous task, but the risks of outdated plugins came to light this week with the disclosure of a vulnerability in a popular caching plugin, SpeedyCache.

SpeedyCache is an actively used plugin with over 860,000 downloads and 100,000+ active installs at the time CVE-2023-6598 was publicly disclosed on December 16, 2023. It aims to optimize WordPress site performance through various caching mechanisms.

Researcher Lucio Sá revealed that several key functions in the plugin lacked proper user access controls, enabling authenticated users of any subscriber level or higher to modify plugin options without permission. Specifically, the vulnerable functions were:

  • speedycache_save_varniship
  • speedycache_img_update_settings
  • speedycache_preloading_add_settings
  • speedycache_preloading_delete_resource

This troubling vulnerability serves as an urgent reminder that keeping WordPress and plugins fully updated is crucial for security. Outdated software opens doors for potential hacking, data theft, performance and availability issues, and more.

If exploited, this could allow attackers to make unauthorized changes to SpeedyCache settings and configuration. For example, they could deliberately break site caching leading to performance slowdowns or disable image optimization resulting in visual issues. Attackers could also exploit it as an initial foothold to further probe the system for more critical vulnerabilities.

The SpeedyCache developers have released version 1.1.4 to address this vulnerability by adding capability checks in the problematic functions. All users are strongly advised to update as soon as possible. You can also check your plugin settings for any suspicious or unexpected modifications.

This is not the first vulnerability found in SpeedyCache recently. There have been 2 other flaws reported since December 1st demonstrating the urgency of staying updated.

As a small business owner without ample security resources, the risks posed by outdated plugins may seem overwhelming. But contracting trustworthy WordPress support can help ease the burden via:

  • Ongoing monitoring for newly reported vulnerabilities
  • Testing and audits to reveal software flaws
  • Expert remediation and upgrades for protection
  • Configuration reviews minimizing attack surface

As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.

Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.

SpeedyCache Vulnerability – Missing Authorization to Plugin Options Update – CVE-2023-6598 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment