CVE-2024-11840 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the RapidLoad – Optimize Web Vitals Automatically plugin for WordPress, developed by shakee93. The flaw exists because several critical plugin functions—uucss_data, update_rapidload_settings, wp_ajax_update_htaccess_file, uucss_update_rule, upload_rules, get_all_rules, update_titan_settings, preload_page, and activate_module—lack proper capability checks. This omission allows authenticated users with minimal privileges (Subscriber role or above) to bypass intended access controls. Consequently, attackers can modify plugin settings arbitrarily and potentially execute SQL injection attacks, compromising the confidentiality and integrity of the site data. The vulnerability affects all versions up to and including 2.4.2. The CVSS v3.1 base score is 7.1, reflecting network exploitability (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), low integrity impact (I:L), and no availability impact (A:N). No public exploits have been reported yet, but the risk remains significant due to the low privilege required and the potential for data compromise. The vulnerability was published on December 11, 2024, and is assigned by Wordfence. No official patches or updates were linked at the time of reporting, emphasizing the need for immediate attention by site administrators.

The vulnerability allows attackers with minimal authenticated access to escalate their privileges within the plugin context, enabling unauthorized modification of plugin settings and potential SQL injection attacks. This can lead to unauthorized data disclosure, data tampering, and possibly further compromise of the WordPress site or its backend database. The confidentiality of sensitive information stored or processed by the plugin is at high risk, while integrity is moderately impacted. Availability is not directly affected. Exploitation could facilitate persistent backdoors or data exfiltration, undermining trust in affected websites. Organizations relying on this plugin for web performance optimization may face reputational damage, regulatory compliance issues, and operational disruptions if exploited. The ease of exploitation combined with the broad user base of WordPress sites makes this a significant threat globally.

1. Immediately update the RapidLoad plugin to a patched version once available from the vendor. 2. Until a patch is released, restrict Subscriber-level and other low-privilege user access to the WordPress admin dashboard or specifically to plugin-related AJAX endpoints via custom role and capability management plugins. 3. Implement Web Application Firewall (WAF) rules to monitor and block suspicious requests targeting the vulnerable plugin functions. 4. Conduct a thorough audit of user roles and permissions to minimize unnecessary privileges. 5. Monitor logs for unusual activity related to plugin settings changes or database queries indicative of SQL injection attempts. 6. Employ database-level protections such as prepared statements and parameterized queries if custom modifications are made. 7. Consider temporarily disabling the plugin if it is not critical to site operations until a secure version is available. 8. Educate site administrators about the risks of granting excessive privileges to low-level users.