Description
The WP DB Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the cleanup_all AJAX action. This makes it possible for unauthenticated attackers to delete database records including post drafts, revisions, comments, and metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-12-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted Database Deletion via CSRF
Action: Patch
AI Analysis

Impact

WP DB Booster, a WordPress plugin, is vulnerable to Cross‑Site Request Forgery due to missing nonce validation on the cleanup_all AJAX action. The flaw allows an unauthenticated attacker to forge a request that, if an administrator is tricked into clicking a malicious link, results in the permanent deletion of database records such as post drafts, revisions, comments and metadata.

Affected Systems

The vulnerability affects the WP Maniax WP DB Booster plugin versions up to and including 1.0.1; any WordPress site installing these versions is exposed if an administrator’s dashboard is accessed.

Risk and Exploitability

The CVSS score of 4.3 reflects moderate severity, and the EPSS score below 1% indicates a very low exploitation probability. Because the exploit requires the victim to act as an administrator, the attack is not fully remote and is listed as not in CISA KEV. Nonetheless, any site that can be tricked into executing the action is at risk of data loss; the absence of a nonce means the action can be called from any origin with no authentication, making the flaw readily exploitable with a simple forged link.

Generated by OpenCVE AI on April 20, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP DB Booster to version 1.0.2 or later, which removes the CSRF flaw.
  • If an immediate upgrade is not possible, restrict administrator access to the WordPress dashboard with IP whitelisting or two‑factor authentication to reduce the chance of an accidental CSRF request.
  • Disable or remove the cleanup_all AJAX endpoint from the plugin until the vulnerability is patched, or disable the plugin entirely until a fix is available.

Generated by OpenCVE AI on April 20, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 21 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 20 Dec 2025 03:30:00 +0000

Type Values Removed Values Added
Description The WP DB Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the cleanup_all AJAX action. This makes it possible for unauthenticated attackers to delete database records including post drafts, revisions, comments, and metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title WP DB Booster <= 1.0.1 - Cross-Site Request Forgery to Database Cleanup
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:23:40.808Z

Reserved: 2025-12-05T21:24:56.492Z

Link: CVE-2025-14168

cve-icon Vulnrichment

Updated: 2025-12-22T20:30:51.272Z

cve-icon NVD

Status : Deferred

Published: 2025-12-20T04:16:07.840

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14168

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses