CVE-2024-3722 identifies an incorrect authorization vulnerability (CWE-863) in the Swift Performance Lite plugin for WordPress, versions up to and including 2.3.6.18. The root cause is the absence of a proper capability check in the ajax_handler() function, which handles AJAX requests within the plugin. This flaw allows any authenticated user with subscriber-level privileges or higher to bypass intended access controls and perform unauthorized actions such as retrieving and modifying plugin settings. Since subscriber-level users typically have minimal permissions, this vulnerability significantly elevates their ability to manipulate site performance configurations, potentially leading to further exploitation or site misconfiguration. The vulnerability is remotely exploitable over the network without requiring user interaction, increasing its risk profile. The CVSS v3.1 base score is 5.4 (medium), reflecting low complexity of attack (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and limited impact on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). No public exploits have been reported yet, but the vulnerability's presence in a widely used WordPress plugin makes it a notable concern for website administrators. The vulnerability was published on May 9, 2024, and assigned by Wordfence. No official patches were linked at the time of reporting, indicating the need for immediate mitigation steps by users.

The vulnerability allows low-privileged authenticated users (subscribers and above) to access and modify plugin settings that should be restricted. This can lead to unauthorized disclosure of configuration data, potentially exposing sensitive information about site performance optimizations or security settings. Modification of these settings could degrade website performance, introduce misconfigurations, or open pathways for further attacks such as privilege escalation or injection of malicious code. Although it does not directly affect site availability, the integrity and confidentiality of the affected WordPress sites are compromised. Organizations relying on Swift Performance Lite for site optimization risk unauthorized changes that could impact user experience and trust. Since WordPress powers a significant portion of the web globally, the scope of affected systems is large, especially for sites that allow subscriber-level user registrations. The ease of exploitation and lack of required user interaction increase the likelihood of exploitation once discovered by attackers.

1. Immediately update the Swift Performance Lite plugin to a patched version once available from the vendor. Monitor official channels for patch releases. 2. Until a patch is available, restrict subscriber-level user capabilities by disabling or limiting user registrations or by using role management plugins to remove unnecessary permissions. 3. Implement web application firewall (WAF) rules to detect and block suspicious AJAX requests targeting the ajax_handler() endpoint. 4. Regularly audit user roles and permissions to ensure minimal privilege principles are enforced. 5. Monitor logs for unusual activity related to plugin settings changes or AJAX requests from low-privileged users. 6. Consider temporarily disabling the Swift Performance Lite plugin if the risk outweighs the benefit until a fix is applied. 7. Educate site administrators about the risk and encourage prompt action to reduce exposure.