CVE-2025-12170
📋 TL;DR
The Checkbox plugin for WordPress has an unauthenticated AJAX endpoint that allows attackers to clear log files without proper authorization. This affects all WordPress sites using Checkbox plugin versions up to 2.8.10. Attackers can delete audit trails and potentially hide evidence of other attacks.
💻 Affected Systems
- WordPress Checkbox Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers clear security logs to cover tracks after successful intrusion, making incident investigation impossible and potentially enabling persistent undetected access.
Likely Case
Attackers delete plugin logs to hide reconnaissance activities or test exploitability, reducing forensic evidence and security monitoring effectiveness.
If Mitigated
With proper logging to external systems and file integrity monitoring, impact is limited to temporary loss of plugin-specific logs.
🎯 Exploit Status
Simple HTTP POST request to wp-admin/admin-ajax.php with action=checkbox_clean_log. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.11 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3392710%40checkbox&new=3392710%40checkbox&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Checkbox plugin and click 'Update Now'. 4. Verify version is 2.8.11 or higher.
🔧 Temporary Workarounds
Block vulnerable AJAX endpoint
linuxUse web application firewall or .htaccess to block access to the specific AJAX action
# .htaccess rule for Apache
RewriteCond %{QUERY_STRING} action=checkbox_clean_log [NC]
RewriteRule .* - [F,L]
Disable Checkbox plugin
allTemporarily disable the plugin until patched
wp plugin deactivate checkbox
🧯 If You Can't Patch
- Implement external logging to syslog or SIEM that cannot be cleared via plugin
- Enable file integrity monitoring on plugin log directories to detect unauthorized changes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Checkbox plugin version. If version ≤ 2.8.10, vulnerable.Check Version:
wp plugin get checkbox --field=versionVerify Fix Applied:
After update, confirm Checkbox plugin version is 2.8.11 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with 'action=checkbox_clean_log' parameter
- Sudden deletion or truncation of checkbox plugin log files
Network Indicators:
- Unusual spikes in POST requests to wp-admin/admin-ajax.php from unauthenticated sources
SIEM Query:
http.method:POST AND url.path:"/wp-admin/admin-ajax.php" AND http.request.body:action=checkbox_clean_log