CVE-2025-11497
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-25

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Advanced Database Cleaner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.6. This is due to missing or incorrect nonce validation on the aDBc_prepare_elements_to_clean() function. This makes it possible for unauthenticated attackers to alter the keep last setting via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2025-64357 is a duplicate of this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-25
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2025-10-25
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11497
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wordpress advanced_database_cleaner 3.1.6
wordpress advanced_database_cleaner 3.1.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Advanced Database Cleaner WordPress plugin versions up to 3.1.6. It occurs because the plugin's function aDBc_prepare_elements_to_clean() lacks proper nonce validation, which is a security measure to verify that requests are legitimate. As a result, an attacker can trick a site administrator into performing unintended actions, such as changing the 'keep last' setting, by sending a forged request that the administrator unknowingly executes. [1]

Impact Analysis

This vulnerability can allow an unauthenticated attacker to alter database cleanup settings on your WordPress site by tricking an administrator into clicking a malicious link. Specifically, the attacker can change the 'keep last' setting, potentially affecting how many database items are retained or cleaned. This could lead to unintended data modifications or loss, impacting site stability or data integrity. [1]

Detection Guidance

You can detect this vulnerability by checking the version of the Advanced Database Cleaner plugin installed on your WordPress site. Versions up to and including 3.1.6 are vulnerable. To check the plugin version, you can use WP-CLI with the command: `wp plugin list --format=json` and look for 'advanced-database-cleaner' version. Additionally, inspecting HTTP requests for missing nonce fields in forms related to the 'keep_last' setting could indicate vulnerability to CSRF. However, no specific network detection commands are provided in the resources. [1]

Mitigation Strategies

The immediate mitigation step is to update the Advanced Database Cleaner plugin to version 3.1.7 or later, where the vulnerability is fixed by adding proper nonce verification to prevent CSRF attacks. Until the update is applied, avoid clicking on suspicious links or performing actions related to the 'keep_last' setting in the plugin. Also, ensure that only trusted administrators have access to the WordPress admin area. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11497. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart