CVE-2026-45212

The Asset CleanUp: Page Speed Booster plugin for WordPress (versions up to 1.4.0.3) suffers from a missing authorization vulnerability. This means that certain functions lack proper access control checks, allowing unprivileged users to perform actions that should require higher privileges [1].

Attackers exploiting this issue do not need authentication or can leverage low-privileged accounts to trigger privileged operations. This type of broken access control is commonly targeted in mass-exploit campaigns, affecting thousands of sites regardless of size [1].

The impact includes the ability to execute unauthorized actions within the plugin, potentially leading to data manipulation or site compromise. The CVSS score of 5.3 (Medium) reflects the moderate severity due to the low complexity and network attack vector [1].

As a mitigation, users must update the plugin to version 1.4.0.4, which contains the fix. Those unable to update should seek assistance from their hosting provider. The vulnerability is considered low risk and unlikely to be exploited, but immediate patching is recommended [1].