CVE-2023-1472

Name of the Vulnerable Software and Affected Versions RapidLoad Power-Up for Autoptimize plugin for WordPress versions up to, and including, 1.7.1

Description The issue is due to missing or incorrect nonce validation on its AJAX actions, making it possible for unauthenticated attackers to invoke those functions via forged requests. This can happen if an attacker can trick a site administrator into performing an action such as clicking on a link. Actions that can be invoked include resetting the API key, accessing or deleting log files, and deleting cache among others.

Recommendations For versions up to, and including, 1.7.1, update to a version that includes proper nonce validation for AJAX actions to prevent Cross-Site Request Forgery. As a temporary workaround, consider restricting access to the AJAX actions until a patch is available.