CVE-2025-12014

The NGINX Cache Optimizer WordPress plugin, in all versions up to and including 1.1, exposes a missing capability check on the nginxcacheoptimizer-blacklist-update AJAX action. This flaw permits authenticated attackers with at least Subscriber-level access to modify a restricted server-side setting.

The vulnerability is exploitable by any authenticated user possessing a WordPress role of Subscriber or higher. The attacker can send a crafted AJAX request to the WordPress admin-ajax endpoint, targeting the vulnerable action. No additional privileges or nonce verification bypass is required for exploitation [1].

By exploiting this weakness, an attacker can arbitrarily add URLs to the 'Exclude URLs From Dynamic Caching' setting. This manipulation may degrade caching efficiency, potentially leading to increased server load or denial-of-service conditions for legitimate users [1].

The plugin was closed as of October 22, 2025, due to a security issue, and is no longer available for download. Users should disable and remove the plugin immediately; no patched version exists [1].