Platform
wordpress
Component
wp-db-booster
Fixed in
1.0.2
CVE-2025-14168 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP DB Booster plugin for WordPress. This flaw allows unauthenticated attackers to potentially delete critical database records, including post drafts, revisions, comments, and metadata. The vulnerability impacts versions 1.0.0 through 1.0.1, and a patch is expected to be released by the plugin developer.
The impact of this CSRF vulnerability is significant, particularly for WordPress sites relying on the WP DB Booster plugin for database optimization. An attacker who can trick a site administrator into clicking a malicious link can trigger actions that delete essential data. This could lead to data loss, disruption of site functionality, and potential defacement. The attacker does not need to authenticate to exploit the vulnerability, making it easier to execute. The ability to delete post drafts and revisions could hinder content creation and recovery efforts.
This vulnerability was publicly disclosed on 2025-12-20. There are currently no known public proof-of-concept exploits available. The CVSS score of 4.3 (Medium) indicates a moderate risk. It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed at this time, but the ease of exploitation warrants monitoring.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14168 is to upgrade to a patched version of the WP DB Booster plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. These might include restricting access to the cleanup_all AJAX action using a WordPress firewall (WAF) or proxy server to filter requests. Implementing strict input validation and output encoding on all user-supplied data can also help reduce the attack surface. Monitor WordPress logs for suspicious activity related to the plugin's AJAX endpoints. After upgrading, confirm the vulnerability is resolved by attempting a crafted CSRF request and verifying that it is blocked.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14168 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP DB Booster plugin for WordPress versions 1.0.0–1.0.1, allowing attackers to delete database records via forged requests.
If you are using the WP DB Booster plugin in versions 1.0.0 through 1.0.1, you are potentially affected by this vulnerability. Check your plugin versions immediately.
Upgrade to the latest version of the WP DB Booster plugin as soon as a patch is released. Until then, consider implementing WAF rules or restricting access to the vulnerable AJAX action.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation warrants monitoring and proactive mitigation.
Refer to the WP DB Booster plugin's official website or WordPress plugin repository for updates and advisories related to CVE-2025-14168.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.