CVE-2023-5559 – 10Web Booster < 2.24.18 - Unauthenticated Arbitrary Option Deletion

https://notcve.org/view.php?id=CVE-2023-5559

The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service. El complemento 10Web Booster de WordPress anterior al 24.2.18 no valida el nombre de opción dado a algunas acciones AJAX, lo que permite a usuarios no autenticados eliminar opciones arbitrarias de la base de datos, lo que lleva a la denegación de servicio. The 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the option value being supplied to the two_init_flow_score and the two_init_flow_score functions hooked via nopriv AJAX in all versions up to, and including, 2.24.14. This makes it possible for unauthenticated attackers to delete arbitrary option values from the site. • https://wpscan.com/vulnerability/eba46f7d-e4db-400c-8032-015f21087bbf • CWE-639: Authorization Bypass Through User-Controlled Key •