CVE-2025-13749 affects Clearfy version 2.4.0 and it is a Cross Site Request Forgery weakness inside the Clearfy Updates Manager module that allows an attacker to change update visibility and auto update behavior without the administrator’s consent. The most important security property here is stealth. Once the request succeeds, the targeted plugin or theme immediately disappears from the update list and the familiar yellow update banner no longer appears, so the administrator receives no obvious signal that anything changed. This is not a flashy exploit like code execution, but it is a persistence enabler that keeps vulnerable software in place and increases compromise probability over time because patching is silently disabled.
| CVE | CVE-2025-13749 |
| Plugin Version | Clearfy <= 2.4.0 |
| All Time | 2 400 213 |
| Active installations | 50 000+ |
| Publicly Published | January 8, 2026 |
| Last Updated | January 8, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13749 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/clearfy/clearfy-240-cross-site-request-forgery-to-update-notification-tampering https://t.me/cleantalk_researches/380 |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 17, 2025 | Plugin testing and vulnerability detection in the Email Kit have been completed |
| November 17, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 8, 2026 | Registered CVE-2025-13749 |
Discovery of the Vulnerability
The vulnerable surface is the AJAX action wbcr-upm-change-flag that processes state changing requests but does not validate a nonce with check_ajax_referer. The handler performs a capability check for install_plugins, which is typical for administrator level settings, yet capability checks alone do not prevent CSRF because the browser automatically attaches the victim’s authenticated cookies to cross site requests. The attacker does not need to bypass authentication. They only need to cause the victim admin to load a malicious page that submits a form to admin-ajax. The endpoint accepts parameters that identify the target component and the update flag to change, so the attacker can toggle Updates, AutoUpdates, and TranslationUpdates for a chosen plugin slug or theme, which is exactly what makes the impact persistent and hard to notice.
Understanding of CSRF attack’s
CSRF in WordPress is especially dangerous when it targets configuration that controls patch management. WordPress sites typically stay safe not because every plugin is perfect, but because updates reduce exposure windows and remove known vulnerabilities quickly. When a plugin introduces a missing nonce on an administrative setting change endpoint, it creates a scenario where the attacker supplies intent and the administrator supplies authority. Clearfy Updates Manager is a high leverage component because it sits directly in the control plane that decides what gets patched and what stays behind. In real incidents, attackers often try to maintain access by disabling security plugins, changing update settings, or suppressing alerts. CVE-2025-13749 fits that playbook because the best exploit is the one that makes future exploits easier. A silent update suppression action can be used to keep a specific vulnerable plugin version installed until an attacker returns with a known public exploit, or to prevent a quick remediation after an initial foothold is gained.
Exploiting the CSRF Vulnerability
To exploit CVE-2025-13749, an attacker without any cookies:
POC:
<form id="f" method="POST" action="http://127.0.0.1/wordpress/wp-admin/admin-ajax.php"> <input name="action" value="wbcr-upm-change-flag"> <input name="plugin" value="greenshift-animation-and-page-builder-blocks"><!-- or theme=twentytwentyfive --> <input name="flag" value="Updates"><!-- Updates | AutoUpdates | TranslationUpdates --> <input name="value" value="1"><!-- 1 => disable*, 0 => enable* --> </form> <script>f.submit()</script>____
The primary risk is long term security degradation that is difficult for site owners to detect. Once updates are suppressed, vulnerabilities accumulate and the site drifts behind the patch level that defenders assume. That creates a wider exploit surface for automated attacks and makes opportunistic compromise more likely, especially for popular plugins that are frequently targeted. The stealth aspect is important because administrators tend to rely on the update banner and the dashboard list as their main operational signal. If those signals are removed, the site can remain unpatched for weeks or months. An attacker can also chain this with phishing or credential stuffing. For example, after achieving a single admin CSRF event, they can disable auto updates for a security plugin or a firewall integration, then later exploit an older known bug in that plugin to gain persistent access. The ability to target many slugs by issuing multiple posts in one visit means this can scale into mass update suppression on sites where admins browse untrusted pages, which is realistic during routine research, theme shopping, or plugin troubleshooting.
Recommendations for Improved Security
The direct fix is to add CSRF protection to wbcr-upm-change-flag by requiring and validating a nonce using check_ajax_referer, and to ensure the nonce is scoped to the Updates Manager module and action. Capability checks should remain, but they must be paired with nonce validation because capability checks do not stop cross site submissions. It is also prudent to add server side logging for flag changes including actor user ID, target slug, flag, and new value, so that unexpected toggles are visible during incident response. Site owners should review Clearfy Updates Manager settings for any plugin or theme that has Updates, AutoUpdates, or TranslationUpdates disabled unexpectedly, and they should consider enabling platform level auto updates where possible as a compensating control. For operational safety, admins should use separate browsing sessions or a different browser profile for general web browsing and for WordPress administration, because that reduces exposure to CSRF style attacks that rely on the victim being logged in.
By taking proactive measures to address CSRF like CVE-2025-13749 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #CSRF #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.