CVE-2023-5559
published 2023-11-27CVE-2023-5559: The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete…
PriorityP180critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.81%
84.7th percentile
The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 10web | 10web_booster | < 2.24.18 | 2.24.18 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /wp-admin/admin-ajax.php with action=two_activate_score_check, which is the AJAX action abused to delete arbitrary WordPress options without authentication. ↗
- →After a successful exploitation attempt, the WordPress REST API response will contain '"name":false' instead of a normal site name string, indicating the 'blogname' option was deleted from the database. ↗
- →Presence of the plugin path /wp-content/plugins/tenweb-speed-optimizer on a target indicates the vulnerable 10Web Booster plugin may be installed; use publicwww or similar passive scanning to identify exposed instances. ↗
- ·The exploit uses a clusterbomb attack against both /wp-json and /?rest_route=/ to detect the WordPress REST API before and after exploitation; detection logic requires a three-step flow (REST API check → AJAX POST → REST API re-check for 'name':false). ↗
- ·The nonce value 'blogname' in the POST body is not a real nonce — it is the name of the WordPress option being targeted for deletion. The plugin fails to validate the option name, so any option name can be supplied here. ↗
- ·Vulnerability affects 10Web Booster plugin versions before 2.24.18; the CPE scope is all versions up to (excluding) 2.24.18. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xg5j-3w2m-6rhx: The 10Web Booster WordPress plugin before 2
ghsa_unreviewed·2023-11-27
CVE-2023-5559 [CRITICAL] GHSA-xg5j-3w2m-6rhx: The 10Web Booster WordPress plugin before 2
The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service.
VulnCheck
10Web Booster WordPress plugin AJAX actions Vulnerability
vulncheck·2023·CVSS 9.1
CVE-2023-5559 [CRITICAL] 10Web Booster WordPress plugin AJAX actions Vulnerability
10Web Booster WordPress plugin AJAX actions Vulnerability
The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service.
Affected: 10web 10web_booster
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/tenweb-speed-optimizer/10web-booster-22414-unauthenticated-arbitrary-option-deletion
No detection rules found.
Nuclei
10Web Booster < 2.24.18 - Unauthenticated Arbitrary Option Deletion
nuclei·CVSS 9.1
CVE-2023-5559 [CRITICAL] 10Web Booster < 2.24.18 - Unauthenticated Arbitrary Option Deletion
10Web Booster < 2.24.18 - Unauthenticated Arbitrary Option Deletion
The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service.
Template:
id: CVE-2023-5559
info:
name: 10Web Booster < 2.24.18 - Unauthenticated Arbitrary Option Deletion
author: daffainfo
severity: critical
description: |
The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service.
impact: |
Unauthenticated attackers can delete arbitrary WordPress options from the database, leading to denial of service and p
No writeups or analysis indexed.
2023-11-27
Published
Exploited in the wild