What the vulnerability does
01Description
Missing Authorization vulnerability in Mohammed Kaludi Core Web Vitals & PageSpeed Booster core-web-vitals-pagespeed-booster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Core Web Vitals & PageSpeed Booster: from n/a through <= 1.0.28.
Explanation of Vulnerability in Simple Terms
02Summary
The Core Web Vitals & PageSpeed Booster plugin for WordPress contains an authorization flaw that allows authenticated users with low privileges to read and modify sensitive data. An attacker with a basic user account can access functionality intended for administrators, potentially exposing or altering site configuration. Update to a version newer than 1.0.28 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read and modify sensitive site data with a low-privilege user account.
Potential impact on your site
04Site Impact
Unauthorized users can access admin-level features and modify site settings or data without proper permission.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with low privileges (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
December 31, 2025
CVE published
April 28, 2026
Record updated