Description
The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpfc_db_fix_callback() function in all versions up to, and including, 1.4.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to initiate several database fix actions. This only affects sites with premium activated.
Published: 2025-11-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Database Modification
Action: Patch Update
AI Analysis

Impact

WP Fastest Cache contains a missing capability check in the wpfc_db_fix_callback() function that permits authenticated users with Subscriber-level or higher access to trigger database cleanup actions. This flaw allows attackers to perform unauthorized modifications or deletions of site data, potentially affecting content integrity and availability. The weakness aligns with CWE-862, Missing Authorization.

Affected Systems

WordPress sites that have the WP Fastest Cache plugin installed at version 1.4.0 or earlier and have the premium feature activated are affected. Any site running these versions of the plugin is vulnerable as long as it permits subscriber or higher roles to access the site.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in CISA KEV. Based on the description, it is inferred that the attacker must be authenticated with at least Subscriber privileges; the exploit requires no additional external access beyond legitimate site credentials. Once accessed, the attacker can initiate cleanup operations that alter or delete database entries, leading to data integrity risks.

Generated by OpenCVE AI on April 21, 2026 at 01:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Fastest Cache to version 1.4.1 or newer to eliminate the missing authorization check.
  • If an upgrade is not possible, disable the premium cache functionality to remove the vulnerable cleanup actions from the site.
  • After taking corrective action, review the database for unintended changes and restore from backup if necessary.

Generated by OpenCVE AI on April 21, 2026 at 01:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Nov 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Emrevona
Emrevona wp Fastest Cache
Wordpress
Wordpress wordpress
Vendors & Products Emrevona
Emrevona wp Fastest Cache
Wordpress
Wordpress wordpress

Thu, 27 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
Description The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpfc_db_fix_callback() function in all versions up to, and including, 1.4.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to initiate several database fix actions. This only affects sites with premium activated.
Title WP Fastest Cache <= 1.4.0 - Missing Authorization to Authenticated (Subscriber+) DB Cleanup Actions
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Emrevona Wp Fastest Cache
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:20:08.134Z

Reserved: 2025-09-15T13:53:22.101Z

Link: CVE-2025-10476

cve-icon Vulnrichment

Updated: 2025-12-03T21:18:37.968Z

cve-icon NVD

Status : Deferred

Published: 2025-11-27T11:15:45.863

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10476

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:15:20Z

Weaknesses