Plattform
wordpress
Komponente
clearfy
Behoben in
2.5.4
CVE-2025-13749 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Clearfy Cache WordPress plugin, specifically versions from 0.0.0 through 2.4.0. This flaw allows unauthenticated attackers to potentially disable plugin update notifications by tricking a site administrator into performing a malicious action. A patch has been released in version 2.4.1, addressing this security concern.
The primary impact of this vulnerability lies in the ability of an attacker to silently disable plugin update notifications. While seemingly minor, this can have significant downstream consequences. By preventing update notifications, attackers could delay administrators from applying critical security patches, leaving the WordPress site vulnerable to other exploits. This could lead to data breaches, website defacement, or complete compromise of the server. The CSRF nature of the vulnerability means an attacker doesn't need to authenticate to exploit it, only to craft a malicious request that a logged-in administrator unknowingly executes.
This vulnerability was publicly disclosed on 2026-01-09. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the CSRF nature and the potential for delayed patching, the probability of exploitation is considered medium.
WordPress websites using the Clearfy Cache plugin, particularly those running versions 0.0.0 through 2.4.0, are at risk. Shared hosting environments where multiple websites share the same server are also at increased risk, as a compromised website could potentially be used to target other sites on the same server.
• wordpress / composer / npm:
grep -r 'wbcr_upm_change_flag' /var/www/html/wp-content/plugins/clearfy-cache/• wordpress / composer / npm:
wp plugin list --status=all | grep clearfy-cache• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/clearfy-cache/readme.txt | grep Versiondisclosure
Exploit-Status
EPSS
0.02% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation is to immediately upgrade the Clearfy Cache plugin to version 2.4.1 or later. If upgrading is not immediately feasible, implement temporary workarounds. A Web Application Firewall (WAF) can be configured to block suspicious requests targeting the wbcrupmchange_flag function. Educate administrators to be cautious of clicking links from untrusted sources, as these could contain malicious CSRF requests. Regularly review WordPress user permissions to ensure only authorized personnel have administrative access.
Aktualisieren Sie auf Version 2.4.1 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13749 is a Cross-Site Request Forgery (CSRF) vulnerability in the Clearfy Cache WordPress plugin allowing attackers to disable update notifications.
You are affected if you are using Clearfy Cache plugin versions 0.0.0 through 2.4.0. Upgrade to 2.4.1 or later to mitigate the risk.
Upgrade the Clearfy Cache plugin to version 2.4.1 or later. Consider WAF rules and user training as temporary mitigations.
There is no confirmed active exploitation of CVE-2025-13749 at this time, but the CSRF nature makes it a potential risk.
Refer to the Clearfy Cache plugin website or WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.