CVE-2025-13749

Vulnerability

Overview

The Clearfy Cache plugin for WordPress (versions up to and including 2.4.0) contains a Cross-Site Request Forgery (CSRF) vulnerability in the wbcr_upm_change_flag AJAX handler. The function lacks nonce validation (check_ajax_referer is missing), allowing an attacker to forge requests that modify update-related settings without the administrator's consent [1].

Exploitation

Details

An unauthenticated attacker can craft a malicious link or page that, when clicked by a logged-in administrator, triggers a state-changing request to the vulnerable endpoint. Although the handler performs a capability check for install_plugins, this does not prevent CSRF because the request can be made from an external site while the admin's session is active [1]. The attack requires social engineering to trick the admin into clicking the link.

Impact

Successful exploitation silently disables update notifications for specific plugins or themes. The targeted item disappears from the update list and the familiar yellow update banner is no longer shown, giving the administrator any visible indication that updates are pending. This stealthy behavior can keep vulnerable software in place, increasing the risk of compromise over time as security patches are effectively hidden [1].

Mitigation

The vendor has not released a patched version as of the publication date. Users should consider applying a virtual patch via a Web Application Firewall (WAF) or manually adding nonce validation to the affected function. The vulnerability is publicly disclosed with a proof of concept, but no active exploitation has been reported [1].