CVE-2025-13749
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| clearfy | clearfy | to 2.4.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-13749 is a Cross-Site Request Forgery (CSRF) vulnerability in the Clearfy Cache WordPress optimization plugin (up to version 2.4.0). The vulnerability arises because the plugin's function 'wbcr_upm_change_flag' lacks nonce validation, allowing unauthenticated attackers to trick a site administrator into performing actions such as disabling plugin or theme update notifications via a forged request. [2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to disable plugin or theme update notifications on a WordPress site by tricking an administrator into clicking a malicious link. This could lead to the site running outdated and potentially insecure plugins or themes without the administrator's knowledge, increasing the risk of further security issues. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for unauthorized AJAX requests targeting the 'wbcr_upm_change_flag' action without proper nonce validation. Since the vulnerability involves missing nonce checks in AJAX calls, you can inspect HTTP requests to your WordPress admin AJAX endpoint (usually /wp-admin/admin-ajax.php) for suspicious requests that attempt to change plugin/theme update flags. Commands to detect such activity could include using curl or wget to simulate requests and checking server logs for unexpected POST requests to admin-ajax.php with the 'wbcr_upm_change_flag' action parameter. For example, you can use: curl -X POST -d 'action=wbcr_upm_change_flag' https://yourwordpresssite.com/wp-admin/admin-ajax.php and observe if the request is accepted without nonce or capability checks. Additionally, reviewing web server access logs for POST requests to admin-ajax.php with this action can help identify exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Clearfy plugin to version 2.4.1 or later, which includes the security fix implementing nonce verification and restricting AJAX actions to users with the 'install_plugins' capability. This update prevents unauthorized users from performing the vulnerable action. If updating immediately is not possible, restrict access to the WordPress admin AJAX endpoint and ensure only trusted administrators can perform plugin or theme update actions. Additionally, educate site administrators to avoid clicking on suspicious links that could trigger forged requests. [2]