CVE-2025-6720
BaseFortify
Publication date: 2025-07-19
Last updated on: 2025-07-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mrkv | vchasno_kasa | * |
| wordpress | wordpress | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Vchasno Kasa WordPress plugin (up to version 1.0.3) is due to a missing capability check on the clear_all_log() function. This flaw allows unauthenticated attackers to clear log files without permission, leading to unauthorized loss of data.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers who are not logged in to clear important log files. This could result in loss of critical data that might be needed for auditing, troubleshooting, or security investigations, potentially hiding malicious activity or errors.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your WordPress installation is running the Vchasno Kasa plugin version 1.0.3 or earlier, which lacks nonce verification and capability checks on the clear_all_log() function. To verify the plugin version, use the command: `wp plugin list --format=json | jq '.[] | select(.name=="mrkv-vchasno-kasa") | .version'`. Additionally, monitor for unauthorized HTTP POST requests to the AJAX endpoint that triggers clear_all_log() without valid nonce tokens. For example, you can use network monitoring tools or grep web server logs for suspicious AJAX calls to the plugin's log clearing function. There are no specific commands provided in the resources, but these general steps can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Vchasno Kasa WordPress plugin to version 1.0.4 or later, which includes nonce verification and capability checks to prevent unauthorized log clearing. Until the update is applied, restrict access to the plugin's AJAX endpoints and monitor for suspicious activity. Also, ensure that only users with 'editor' or 'administrator' roles have permissions to clear logs or perform sensitive actions. [1]