CVE-2025-10476
📋 TL;DR
The WP Fastest Cache WordPress plugin has an authorization bypass vulnerability that allows authenticated users with Subscriber-level access or higher to perform unauthorized database fix actions. This affects all versions up to and including 1.4.0, but only impacts sites with the premium version activated. Attackers can trigger database operations they shouldn't have permission to execute.
💻 Affected Systems
- WP Fastest Cache WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could corrupt or modify critical database tables, potentially causing site functionality issues, data loss, or service disruption.
Likely Case
Attackers with subscriber accounts could trigger unnecessary database maintenance operations, potentially causing temporary performance issues or minor data inconsistencies.
If Mitigated
With proper access controls and monitoring, impact would be limited to logged actions that could be investigated and rolled back if needed.
🎯 Exploit Status
Requires authenticated access (Subscriber role or higher). Exploitation involves calling the vulnerable function with appropriate parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?old_path=/wp-fastest-cache/tags/1.4.0&new_path=/wp-fastest-cache/tags/1.4.1
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP Fastest Cache and click 'Update Now'. 4. Verify version is now 1.4.1 or higher.
🔧 Temporary Workarounds
Disable Premium Features
allDeactivate premium features to remove vulnerability exposure
Navigate to WP Fastest Cache settings and disable premium features
Restrict User Registration
allPrevent new user registrations to limit potential attackers
Go to Settings → General and uncheck 'Anyone can register'
🧯 If You Can't Patch
- Deactivate WP Fastest Cache plugin entirely
- Implement strict user role management and review all subscriber-level accounts
🔍 How to Verify
Check if Vulnerable:
Check WP Fastest Cache version in WordPress admin under Plugins → Installed Plugins. If version is 1.4.0 or lower and premium is activated, you are vulnerable.Check Version:
wp plugin list --name=wp-fastest-cache --field=versionVerify Fix Applied:
After updating, verify version shows 1.4.1 or higher in plugin list. Test that database fix functions require appropriate admin permissions.📡 Detection & Monitoring
Log Indicators:
- Unauthorized calls to wpfc_db_fix_callback function
- Database maintenance operations initiated by non-admin users
- Unexpected database table modifications
Network Indicators:
- POST requests to admin-ajax.php with wpfc_db_fix_callback action from non-admin users
SIEM Query:
source="wordpress" AND (action="wpfc_db_fix_callback" OR user_role="subscriber" AND operation="database_fix")