CVE-2025-64357

Vulnerability

Overview

The Advanced Database Cleaner plugin for WordPress, versions 3.1.6 and earlier, contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw allows an attacker to trick a privileged user into unknowingly performing actions on the plugin's behalf, such as modifying settings or triggering database cleanup operations, without the user's consent.

Exploitation

Details

Exploitation requires user interaction — the victim must click a malicious link, visit a crafted page, or submit a form while authenticated to the WordPress admin panel [1]. The attacker does not need any special network position beyond being able to deliver the crafted request to the victim [1]. The vulnerability is initiated by an attacker with low privileges, but the actual actions are executed under the session of the higher-privileged user [1].

Impact

Successful exploitation could allow an attacker to force a privileged user to execute unwanted actions within the plugin, potentially altering database cleanup schedules, deleting data, or changing plugin settings [1]. The CVSS score of 4.3 (Medium) reflects the need for user interaction and the limited direct impact on confidentiality or integrity [1].

Mitigation

The vendor has released version 3.1.7 which patches the vulnerability [1]. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended [1]. Patchstack users can enable auto-updates for vulnerable plugins [1].