CVE-2024-13651 is a vulnerability identified in the WordPress plugin RapidLoad – Optimize Web Vitals Automatically, developed by shakee93, affecting all versions up to and including 2.4.4. The root cause is a missing capability check in the ajax_deactivate() function, which is responsible for deactivating or resetting plugin settings via an AJAX request. Because the function lacks proper authorization controls, any authenticated user with at least Subscriber-level privileges can invoke this function and reset some of the plugin's configuration settings without elevated permissions. This vulnerability is classified under CWE-862 (Missing Authorization). The attack vector is network-based (remote), requiring only low-level authenticated access, and no user interaction is needed beyond authentication. The vulnerability impacts the integrity of the plugin’s settings but does not affect confidentiality or availability. The CVSS v3.1 base score is 4.3 (medium), with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating low attack complexity, low privileges required, no user interaction, and limited impact scope. No public exploits or patches are currently reported, but the vulnerability is published and should be addressed promptly by site administrators.

The primary impact of CVE-2024-13651 is unauthorized modification of plugin settings, which could lead to suboptimal performance or misconfiguration of the RapidLoad plugin. While this does not directly compromise sensitive data or site availability, altered settings could degrade website performance, affect user experience, or interfere with web vitals optimization, potentially impacting SEO and site reputation. Attackers with Subscriber-level access, often easy to obtain or compromise, can exploit this flaw to disrupt site optimization silently. Organizations relying on this plugin for performance improvements may experience degraded service quality or inconsistent behavior. Although the impact is limited to plugin settings integrity, it could serve as a stepping stone for further attacks if combined with other vulnerabilities or misconfigurations. The vulnerability affects any WordPress site using this plugin, which may include small to medium businesses, blogs, and larger enterprises leveraging WordPress for web presence.

To mitigate CVE-2024-13651, site administrators should immediately verify user roles and restrict Subscriber-level access where possible, minimizing the number of users with low-level authenticated access. Applying principle of least privilege to WordPress user roles reduces exploitation risk. Since no official patch is currently available, administrators can implement custom code to add capability checks to the ajax_deactivate() function, ensuring only authorized roles (e.g., Administrator) can invoke it. Monitoring and logging AJAX requests related to plugin settings changes can help detect unauthorized attempts. Additionally, consider temporarily disabling or uninstalling the RapidLoad plugin if it is not critical until a patch is released. Regularly check for updates from the vendor and apply patches promptly once available. Employing Web Application Firewalls (WAFs) with rules to restrict suspicious AJAX calls may provide an additional layer of defense.