On October 30, 2023, a serious vulnerability was disclosed in the popular Perfmatters WordPress plugin—an optimization tool used on over 100,000 WordPress sites. Tracked as CVE-2023-47874, this flaw lies in missing authorization checks in various plugin endpoints, allowing attackers to perform sensitive actions without proper permissions. In this post, we'll explain the issue in simple terms, walk through how the exploit works, and provide examples and tips for protecting your site.
What is Perfmatters?
Perfmatters is a paid plugin designed to speed up WordPress sites by disabling unneeded features, optimizing scripts, and more. Because it's popular among performance-focused site owners, vulnerabilities in Perfmatters put many high-traffic WordPress sites at risk.
Vulnerability Overview
- CVE: CVE-2023-47874
What Does "Missing Authorization" Mean?
In technical terms, an endpoint or action in the plugin is supposed to only be accessible to certain users—like site administrators. But the vulnerable code doesn't check who is making the request. Anyone who knows how to craft the correct request can trigger sensitive plugin functions.
Which Functions Are Affected?
Within Perfmatters, various AJAX actions and REST endpoints allow users (legitimately) to clear the cache, manage settings, or take other powerful actions. These are accessible via PHP functions that WordPress exposes. The problem: the plugin failed to ensure that only admins can hit these endpoints!
Exploit Scenario
Let's look at a practical example. Assume there’s an AJAX handler at /wp-admin/admin-ajax.php with the action perfmatters_clear_cache. Instead of checking if the caller is an admin, the plugin just runs the function.
Example Vulnerable PHP (simplified)
// inside perfmatters.php or included file
add_action('wp_ajax_perfmatters_clear_cache', 'perfmatters_clear_cache_function');
function perfmatters_clear_cache_function() {
// MISSING: check if current_user_can('manage_options');
perfmatters_clear_cache(); // Dangerous function!
wp_send_json_success('Cache cleared!');
}
What’s missing?
A line like this, which checks that the user is allowed to clear the cache
if ( !current_user_can('manage_options') ) {
wp_send_json_error('You do not have permission.');
exit;
}
Attackers can simply POST data to the endpoint
curl -X POST https://vulnerable-site.com/wp-admin/admin-ajax.php \
-d "action=perfmatters_clear_cache"
On vulnerable versions, the cache will be cleared without any authentication. More complex attacks might target other, even more dangerous endpoints.
Why Is This Bad?
If combined with other vulnerabilities, an attacker could completely take over the website, or use it for spam or phishing. Even alone, just clearing the cache repeatedly could degrade site performance or disrupt how the site appears to users.
Discovered: October 2023
- Patched: Version 2.1.7 (changelog here)
- Public Disclosure: NVD Entry
How to Protect Your Site
1. Update Immediately
If you use Perfmatters, update to version 2.1.7 or later right away.
2. Check Your Version
In your WordPress dashboard, go to Plugins > Perfmatters and ensure the version is 2.1.7 or above.
3. Review Site Access
Review user accounts to ensure only trusted admins have access.
4. Monitor for Abuse
Look for unexplained changes in caching, plugin settings, or site functionality.
More Resources
- CVE-2023-47874 on NVD
- Perfmatters Official Website
- Perfmatters Changelog
- Wordfence Advisory *(if available)*
Conclusion
CVE-2023-47874 serves as a reminder that even well-maintained software can have security holes. "Missing Authorization" issues crop up often in WordPress plugins, especially with AJAX and REST endpoints. Always keep your plugins updated, and if you're a developer, make sure you check user permissions before running sensitive code!
If you enjoyed this security write-up, follow us for more plain-English breakdowns of real-world WordPress vulnerabilities.
Timeline
Published on: 02/29/2024 06:15:45 UTC
Last modified on: 02/29/2024 13:49:29 UTC