CVE-2025-10476 – WP Fastest Cache – Missing Authorization to Authenticated (Subscriber+) DB Cleanup Actions – POC

CVE-2025-10476 affects the WordPress plugin WP Fastest Cache (WordPress.org lists 1+ million active installations) and is an authorization flaw in an authenticated AJAX endpoint that can be abused by any logged-in user (Subscriber+)to trigger destructive “database cleanup / fix” operations. The security impact is not theoretical: the affected action can delete content history (revisions), remove trashed items, wipe spam/trashed comments, and clear transient data—changes that directly degrade integrity and availability and can create visible outages or operational disruption until administrators restore content or caches rebuild.

CVE	CVE-2025-10476
Plugin Version	WP Fastest Cache <= 1.4.0
Critical	High
All Time	62 232 113
Active installations	1 000 000+
Publicly Published	November 26, 2025
Last Updated	November 26, 2025
Researcher	Dmitrii Ignatyev
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10476 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-fastest-cache/wp-fastest-cache-140-missing-authorization-to-authenticated-subscriber-db-cleanup-actions https://t.me/cleantalk_researches/355
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

Get Plugin Security Certificate

PSC by Cleantalk

Timeline

Discovery of the Vulnerability

The vulnerability is rooted in a missing access-control decision in the AJAX callback (wpfc_db_fix_callback()), which—per the public CVE description—fails to enforce a capability check before initiating database “fix” actions. In practical terms, the handler accepts attacker-controlled input (the type parameter) and invokes the database cleanup logic without confirming that the caller is an administrator (or otherwise privileged) and without ensuring a proper request authenticity control (nonce) is present; the NVD record explicitly describes exploitation by authenticated attackers with Subscriber-level access and above. Importantly, the NVD notes the exposure only affects sites with premium activated, which aligns with the described behavior of calling into premium cleanup functionality. 

Understanding of Missing Auth attack’s

“Database cleanup” features are operationally sensitive because they are meant to be used by trusted administrators to remove data that is safe to discard (or that can be regenerated), but which still has real business value and availability implications. WP Fastest Cache’s premium documentation describes database cleanup as removing “garbage” such as post revisions, trashed posts/pages, spam/trashed comments, trackbacks/pingbacks, and transient options, among other items. If a low-privilege user can invoke these actions at will, the plugin effectively becomes a built-in “content sabotage” primitive: a Subscriber can strip revision history (removing recovery options for editors), empty trash (increasing the chance of permanent loss if combined with other workflows), and flush transients in ways that can break integrations and degrade site stability until caches and derived data are rebuilt.

Exploiting the Stored XSS Vulnerability

To exploit CVE-2025-10476, an attacker with Subscriber+ cookies:

POC:

http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=wpfc_db_fix&type=post_revisions

____

The most damaging aspect of CVE-2025-10476 is that it allows an attacker to cause meaningful harm without elevating privileges: a simple Subscriber account—common on membership, LMS, e-commerce, and community sites—can repeatedly invoke cleanup types to degrade the site’s operational state. The immediate outcomes can include loss of editorial safety nets (revisions), sudden disappearance of content in trash workflows, destabilized comment moderation histories, and broad transient purges that can cascade into errors, performance regressions, and “mysterious breakage” until the site warms caches and regenerates derived data. The NVD specifically frames this as unauthorized modification of data due to a missing capability check, which is an accurate categorization because these actions mutate core WordPress data structures rather than merely reading information. The “premium activated” caveat is important for triage, but it does not meaningfully reduce severity for affected sites because premium users are often larger, higher-value targets.

Recommendations for Improved Security

The correct remediation is to treat database cleanup as an administrative maintenance operation and enforce both authorization and request authenticity. First, gate the AJAX callback with a strict capability such as current_user_can('manage_options') (or a dedicated plugin capability that is not granted to low roles), and fail closed if the check does not pass; the CVE description explicitly identifies the missing capability check as the root cause. Second, require a nonce and validate it with check_ajax_referer() (or wp_verify_nonce()), because any state-changing authenticated endpoint without a nonce is typically CSRF-prone in WordPress. Third, validate type against a hard allow-list of supported cleanup operations (reject unknown values), and ensure that premium-only cleanup code paths cannot be invoked from free endpoints unless the premium module is present and the caller is authorized. Finally, document and test these endpoints explicitly as part of a security regression suite: “maintenance” actions are easy to overlook, but they are exactly the endpoints attackers prefer because they produce high impact with minimal complexity.

By taking proactive measures to address Missing Auth vulnerabilities like CVE-2025-10476 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.