Description
The Advanced Database Cleaner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.6. This is due to missing or incorrect nonce validation on the aDBc_prepare_elements_to_clean() function. This makes it possible for unauthenticated attackers to alter the keep last setting via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2025-64357 is a duplicate of this issue.
Published: 2025-10-25
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized settings changes via CSRF
Action: Patch Immediately
AI Analysis

Impact

The Advanced Database Cleaner plugin for WordPress contains a Cross‑Site Request Forgery flaw that lets an attacker modify the "keep last" configuration by influencing an administrator to click a malicious link. The weakness arises from missing or incorrect nonce validation in the aDBc_prepare_elements_to_clean() function, a classic input validation problem (CWE‑20).

Affected Systems

The plugin is developed by symptote and is called "Advanced Database Cleaner – Optimize & Clean Database to Speed Up Site Performance". All releases up to and including version 3.1.6 are vulnerable, while version 3.1.7 and later contain the fix.

Risk and Exploitability

The CVSS base score of 4.3 indicates a moderate impact; the EPSS score is less than 1%, suggesting a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an unauthenticated attacker to supply a forged request to the vulnerable function, and the attack relies on a victim administrator performing a legitimate action, typically clicking a crafted link. Because the flaw permits configuration changes, an attacker could manipulate database cleaning settings, potentially leading to unintended data removal or performance issues if the settings were altered from their intended state.

Generated by OpenCVE AI on April 22, 2026 at 16:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of Advanced Database Cleaner (any release higher than 3.1.6).
  • If an upgrade is not feasible, deactivate or remove the plugin from the WordPress installation.
  • If the plugin must remain, add a custom filter or hook to enforce nonce validation on the aDBc_prepare_elements_to_clean() endpoint (or deploy a Web Application Firewall rule to block forged requests lacking valid nonce tokens).

Generated by OpenCVE AI on April 22, 2026 at 16:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Advanced Database Cleaner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.6. This is due to missing or incorrect nonce validation on the aDBc_prepare_elements_to_clean() function. This makes it possible for unauthenticated attackers to alter the keep last setting via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The Advanced Database Cleaner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.6. This is due to missing or incorrect nonce validation on the aDBc_prepare_elements_to_clean() function. This makes it possible for unauthenticated attackers to alter the keep last setting via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2025-64357 is a duplicate of this issue.

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Oct 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Advanced Database Cleaner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.6. This is due to missing or incorrect nonce validation on the aDBc_prepare_elements_to_clean() function. This makes it possible for unauthenticated attackers to alter the keep last setting via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Advanced Database Cleaner <= 3.1.6 - Cross-Site Request Forgery to Settings Manipulation
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:59.206Z

Reserved: 2025-10-08T13:52:49.482Z

Link: CVE-2025-11497

cve-icon Vulnrichment

Updated: 2025-10-27T15:52:50.764Z

cve-icon NVD

Status : Deferred

Published: 2025-10-25T07:15:40.170

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:00:12Z

Weaknesses