cbcvebase.
CVE-2023-5559
published 2023-11-27

CVE-2023-5559: The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete…

PriorityP180critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.81%
84.7th percentile
The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service.

Affected

1 ranges
VendorProductVersion rangeFixed in
10web10web_booster< 2.24.182.24.18

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=two_activate_score_check&nonce=blogname
path/wp-content/plugins/tenweb-speed-optimizer
  • Detect unauthenticated POST requests to /wp-admin/admin-ajax.php with action=two_activate_score_check, which is the AJAX action abused to delete arbitrary WordPress options without authentication.
  • After a successful exploitation attempt, the WordPress REST API response will contain '"name":false' instead of a normal site name string, indicating the 'blogname' option was deleted from the database.
  • Presence of the plugin path /wp-content/plugins/tenweb-speed-optimizer on a target indicates the vulnerable 10Web Booster plugin may be installed; use publicwww or similar passive scanning to identify exposed instances.
  • ·The exploit uses a clusterbomb attack against both /wp-json and /?rest_route=/ to detect the WordPress REST API before and after exploitation; detection logic requires a three-step flow (REST API check → AJAX POST → REST API re-check for 'name':false).
  • ·The nonce value 'blogname' in the POST body is not a real nonce — it is the name of the WordPress option being targeted for deletion. The plugin fails to validate the option name, so any option name can be supplied here.
  • ·Vulnerability affects 10Web Booster plugin versions before 2.24.18; the CPE scope is all versions up to (excluding) 2.24.18.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.