Description
Cross-Site Request Forgery (CSRF) vulnerability in matthewprice1178 WP Database Optimizer wp-database-optimizer allows Cross Site Request Forgery.This issue affects WP Database Optimizer: from n/a through <= 1.2.1.3.
Published: 2025-03-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the WP Database Optimizer plugin, allowing an attacker to forge a request that the plugin will accept as legitimate. A forged request could trigger database optimization tasks or other privileged operations performed by the plugin without the target’s consent. The weakness is a classic CSRF flaw (CWE‑352).

Affected Systems

The issue affects the WP Database Optimizer plugin by matthewprice1178, versions up to and including 1.2.1.3. Sites running WordPress that have this plugin installed and enabled are exposed.

Risk and Exploitability

The CVSS score of 4.3 reflects moderate impact, and the EPSS score of less than 1% indicates low exploitation probability in the short term. This vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to obtain a victim’s authenticated session, or to craft a phishing link that coerces a logged‑in administrator to visit a URL that triggers the privileged action. Because the attack vector is client‑side, it can be executed without any network intrusion or server‑side compromise. The risk is increased on sites with publicly exposed or otherwise insufficiently protected admin accounts.

Generated by OpenCVE AI on May 1, 2026 at 03:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Database Optimizer to the latest version (1.2.1.4 or newer) or remove the plugin if it is no longer needed
  • Deploy a CSRF token validation mechanism on all forms that perform privileged actions, ensuring the token is unique per user session
  • Restrict access to the WordPress administration area by enforcing role‑based access controls and MFA, and monitor for unexpected database optimization attempts

Generated by OpenCVE AI on May 1, 2026 at 03:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8596 Cross-Site Request Forgery (CSRF) vulnerability in matthewprice1178 WP Database Optimizer allows Cross Site Request Forgery. This issue affects WP Database Optimizer: from n/a through 1.2.1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in matthewprice1178 WP Database Optimizer allows Cross Site Request Forgery. This issue affects WP Database Optimizer: from n/a through 1.2.1.3. Cross-Site Request Forgery (CSRF) vulnerability in matthewprice1178 WP Database Optimizer wp-database-optimizer allows Cross Site Request Forgery.This issue affects WP Database Optimizer: from n/a through <= 1.2.1.3.
Title WordPress WP Database Optimizer <= 1.2.1.3 - Cross Site Request Forgery (CSRF) Vulnerability WordPress WP Database Optimizer plugin <= 1.2.1.3 - Cross Site Request Forgery (CSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Fri, 28 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 28 Mar 2025 12:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in matthewprice1178 WP Database Optimizer allows Cross Site Request Forgery. This issue affects WP Database Optimizer: from n/a through 1.2.1.3.
Title WordPress WP Database Optimizer <= 1.2.1.3 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:57:07.730Z

Reserved: 2025-03-28T11:01:02.396Z

Link: CVE-2025-31474

cve-icon Vulnrichment

Updated: 2025-03-28T15:33:46.091Z

cve-icon NVD

Status : Deferred

Published: 2025-03-28T12:15:20.257

Modified: 2026-04-23T15:27:53.757

Link: CVE-2025-31474

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T03:45:07Z

Weaknesses