Plataforma
wordpress
Componente
wp-fastest-cache
Corrigido em
1.4.1
CVE-2025-10476 affects the WP Fastest Cache plugin for WordPress, a caching plugin designed to improve website performance. This vulnerability allows authenticated attackers, specifically those with Subscriber-level access or higher, to initiate database fix actions without proper authorization. The issue impacts versions 0.0.0 through 1.4.0 of the plugin and is only present on sites with the premium version activated. A fix is available in version 1.4.1.
The core impact of CVE-2025-10476 lies in the potential for unauthorized modification of the WordPress database. An attacker, having gained Subscriber access, can leverage the missing capability check in the wpfcdbfix_callback() function to trigger various database fix actions. This could lead to data corruption, manipulation of cached content, or even the injection of malicious code through database modifications. The blast radius is limited to the affected WordPress site, but the consequences can be significant, impacting website functionality and potentially user data. This vulnerability highlights the importance of robust access controls, even for users with seemingly limited privileges.
CVE-2025-10476 was published on 2025-11-27. The vulnerability's severity is currently assessed as medium. There are no known public exploits or active campaigns targeting this specific vulnerability at the time of writing. It is not listed on KEV or EPSS. Monitor security advisories and WordPress forums for any updates regarding exploitation attempts.
Status do Exploit
EPSS
0.04% (percentil 11%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-10476 is to upgrade the WP Fastest Cache plugin to version 1.4.1 or later. If upgrading immediately is not feasible due to compatibility concerns or testing requirements, consider temporarily restricting access to the database fix functionality. While a direct WAF rule is unlikely to be effective, implementing stricter user role permissions within WordPress to limit access to administrative functions can reduce the attack surface. After upgrading, verify the integrity of the database by checking for any unexpected changes or inconsistencies in cached data.
Update to version 1.4.1, or a newer patched version
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-10476 is a medium severity vulnerability in WP Fastest Cache versions 0.0.0–1.4.0. It allows authenticated attackers with Subscriber access to trigger database fix actions, potentially leading to data corruption.
You are affected if you are using WP Fastest Cache version 0.0.0 through 1.4.0 and have the premium version activated. Check your plugin version in the WordPress admin panel.
Upgrade to WP Fastest Cache version 1.4.1 or later to resolve the vulnerability. If immediate upgrade is not possible, restrict access to database fix functionality.
As of the current assessment, CVE-2025-10476 is not known to be actively exploited, but continuous monitoring is recommended.
Refer to the official WP Fastest Cache website and WordPress plugin repository for the latest security advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.