CVE-2025-13749
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-09

Last updated on: 2026-01-09

Assigner: Wordfence

Description
The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. This makes it possible for unauthenticated attackers to disable plugin/theme update notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-09
Last Modified
2026-01-09
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13749
EUVD
EUVD-2026-1806
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
clearfy clearfy to 2.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-13749 is a Cross-Site Request Forgery (CSRF) vulnerability in the Clearfy Cache WordPress optimization plugin (up to version 2.4.0). The vulnerability arises because the plugin's function 'wbcr_upm_change_flag' lacks nonce validation, allowing unauthenticated attackers to trick a site administrator into performing actions such as disabling plugin or theme update notifications via a forged request. [2]

Impact Analysis

This vulnerability can allow an attacker to disable plugin or theme update notifications on a WordPress site by tricking an administrator into clicking a malicious link. This could lead to the site running outdated and potentially insecure plugins or themes without the administrator's knowledge, increasing the risk of further security issues. [2]

Detection Guidance

Detection can involve monitoring for unauthorized AJAX requests targeting the 'wbcr_upm_change_flag' action without proper nonce validation. Since the vulnerability involves missing nonce checks in AJAX calls, you can inspect HTTP requests to your WordPress admin AJAX endpoint (usually /wp-admin/admin-ajax.php) for suspicious requests that attempt to change plugin/theme update flags. Commands to detect such activity could include using curl or wget to simulate requests and checking server logs for unexpected POST requests to admin-ajax.php with the 'wbcr_upm_change_flag' action parameter. For example, you can use: curl -X POST -d 'action=wbcr_upm_change_flag' https://yourwordpresssite.com/wp-admin/admin-ajax.php and observe if the request is accepted without nonce or capability checks. Additionally, reviewing web server access logs for POST requests to admin-ajax.php with this action can help identify exploitation attempts. [2]

Mitigation Strategies

The immediate mitigation step is to update the Clearfy plugin to version 2.4.1 or later, which includes the security fix implementing nonce verification and restricting AJAX actions to users with the 'install_plugins' capability. This update prevents unauthorized users from performing the vulnerable action. If updating immediately is not possible, restrict access to the WordPress admin AJAX endpoint and ensure only trusted administrators can perform plugin or theme update actions. Additionally, educate site administrators to avoid clicking on suspicious links that could trigger forged requests. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13749. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart