WordPress Plugin Vulnerability Report – 10Web Booster – Unauthenticated Arbitrary Option Deletion
Plugin Name: 10Web Booster
Key Information:
- Software Type: Plugin
- Software Slug: tenweb-speed-optimizer
- Software Status: Active
- Software Author: 10web
- Software Downloads: 864,591
- Active Installs: 80,000
- Last Updated: October 29, 2023
- Patched Versions: 2.24.18
- Affected Versions: <= 2.24.14
Vulnerability Details:
- Name: 10Web Booster <= 2.24.14 - Unauthenticated Arbitrary Option Deletion
- Type: Authorization Bypass Through User-Controlled Key
- CVSS Score: 6.5 (Medium)
- Publicly Published:
- Description: The 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the option value being supplied to the two_init_flow_score and the two_init_flow_score functions hooked via nopriv AJAX in all versions up to, and including, 2.24.14. This makes it possible for unauthenticated attackers to delete arbitrary option values from the site.
Summary:
The 10Web Booster plugin for WordPress has a vulnerability in versions up to and including 2.24.14 that allows unauthenticated attackers to delete arbitrary options from a site. This vulnerability has been patched in version 2.24.18.
Detailed Overview:
A security researcher recently disclosed an authorization bypass vulnerability in the 10Web Booster plugin. This plugin is used by over 80,000 WordPress sites to optimize page load speeds.
The vulnerability exists because there is insufficient validation of user-supplied input to AJAX hooks in the plugin. Specifically, the two_init_flow_score and two_init_flow_score functions do not properly validate that the requesting user has privileges to modify options.
By exploiting this, an unauthenticated attacker can send crafted requests to delete arbitrary options from a vulnerable site. This could lead to loss of critical configuration options and plugins no longer functioning correctly.
Advice for Users:
- Immediate Action: Update to 10Web Booster version 2.24.18 or higher as soon as possible.
- Check for Signs of Compromise: Review your options table for any unexpected deletions or critical options no longer set.
- Alternate Plugins: Consider a speed optimization plugin like WP Rocket or WP Fastest Cache as a precaution.
- Stay Updated: Always keep your plugins updated, enable auto-updates where possible.
Conclusion:
The quick response from 10Web to patch this vulnerability is appreciated. Users are strongly advised to update as soon as possible to 10Web Booster version 2.24.18 or higher. Staying updated on plugins is critical to securing WordPress sites.
References:
https://www.wordfence.com/blog/2023/10/wordpress-plugin-vulns-october-2023/
Detailed Report:
Keeping your WordPress website secure should be a top priority for any website owner. Unfortunately, vulnerabilities in plugins and themes pop up frequently, putting your site at risk if you don't stay vigilant about updates. One such vulnerability was recently disclosed affecting a popular speed optimization plugin, 10Web Booster. In this post, we’ll break down this vulnerability, who is affected, and most importantly, what you should do to lock down your site.
The 10Web Booster plugin is used by over 80,000 WordPress sites to optimize page load speeds. It has over 864,000 total downloads and is actively maintained by developers at 10Web. Unfortunately, a vulnerability was recently disclosed that affects all versions up to and including 2.24.14.
This vulnerability allows an unauthenticated attacker to send crafted requests that delete arbitrary options from a site. By exploiting insufficient validation of user input, they can remove critical configuration options leading to plugins no longer functioning properly. The vulnerability is rated CVSS 6.5 (Medium Severity) and could lead to complete site failure if core WordPress options are maliciously deleted.
If you are running 10Web Booster version 2.24.14 or lower, you should take action immediately:
- Update to version 2.24.18 or higher, which contains the patch.
- Audit your options table for any unexpected deletions.
- Consider switching to an alternate speed optimization plugin like WP Rocket as a precaution.
This is not the first vulnerability found in 10Web Booster recently. There have been 3 other issues disclosed since November 2022, underscoring the importance of prompt updates.
As a small business owner, staying on top of vulnerabilities like this can feel daunting. The key is enabling automatic background updates wherever possible, and periodically auditing the plugins you use for new releases. If you need help managing WordPress security, consider a managed hosting provider that can monitor and deploy updates for you.
As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.
Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.