SiteGround Optimizer <= 5.0.12 - Missing Authorization

Vulnerability

The SiteGround Optimizer plugin for WordPress versions up to and including 5.0.12 contains an authorization bypass vulnerability in the switch_php function, accessible via the /switch-php REST API route. Due to incorrect use of an access control attribute, the endpoint does not properly verify user privileges, allowing unauthenticated or low-privileged attackers to invoke the function [1].

Exploitation

An attacker can send a crafted request to the /switch-php REST API route without requiring authentication or any special privileges. The vulnerability is remotely exploitable and rated as very easy to exploit [1]. The attacker does not need any user interaction or prior access to the site.

Impact

Successful exploitation allows an attacker to include and execute arbitrary files on the server, leading to remote code execution (RCE) and local file inclusion (LFI). This can be used to bypass access controls, obtain sensitive data, or achieve code execution, particularly if the attacker can upload files (such as images) containing malicious PHP code and then include them via the vulnerable endpoint [1].

Mitigation

The vulnerability was patched in version 5.0.13 of the SiteGround Optimizer plugin, released on January 16, 2019 [1]. Users on the SiteGround hosting environment were automatically updated; all other users should manually update to version 5.0.13 or later. If the plugin is no longer in use, it should be removed [1]. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.