CVE-2024-53738: 
WordPress vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in the WordPress plugin Asset CleanUp: Page Speed Booster, affecting versions up to and including 1.3.9.8. The vulnerability was reported on October 24, 2024, by security researcher Zaidan Rizaki and was publicly disclosed on November 27, 2024. This security issue was assigned CVE-2024-53738 (Patchstack, WPScan).

The vulnerability is classified as CWE-918 (Server-Side Request Forgery) and has received varying CVSS scores from different sources. Patchstack assigned it a CVSS v3.1 score of 4.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N, while WPScan rates it at 5.5 (Medium). The vulnerability requires administrator-level access or higher privileges to exploit (NVD, Patchstack).

The vulnerability allows authenticated attackers with administrator-level access to make web requests to arbitrary locations originating from the web application. This capability can be exploited to query and modify information from internal services, potentially exposing sensitive information running on the system (WPScan, Patchstack).

The vulnerability has been fixed in version 1.3.9.9 of the Asset CleanUp: Page Speed Booster plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update functionality for vulnerable plugins as an additional security measure (Patchstack).