{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11497", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-08T13:52:49.482Z", "datePublished": "2025-10-25T06:49:22.013Z", "dateUpdated": "2026-04-08T16:51:59.206Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:59.206Z"}, "affected": [{"vendor": "symptote", "product": "Advanced Database Cleaner \u2013 Optimize & Clean Database to Speed Up Site Performance", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Advanced Database Cleaner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.6. This is due to missing or incorrect nonce validation on the aDBc_prepare_elements_to_clean() function. This makes it possible for unauthenticated attackers to alter the keep last setting via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2025-64357 is a duplicate of this issue."}], "title": "Advanced Database Cleaner <= 3.1.6 - Cross-Site Request Forgery to Settings Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f4635ac-2ce6-4135-8d2b-d03b42860f05?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3382581%40advanced-database-cleaner&new=3382581%40advanced-database-cleaner&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-20 Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock"}], "timeline": [{"time": "2025-10-24T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T15:52:46.522617Z", "id": "CVE-2025-11497", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:52:54.338Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11497", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-27T15:52:46.522617Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:52:50.764Z"}}], "cna": {"title": "Advanced Database Cleaner <= 3.1.6 - Cross-Site Request Forgery to Settings Manipulation", "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "symptote", "product": "Advanced Database Cleaner \u2013 Optimize & Clean Database to Speed Up Site Performance", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.1.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-24T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f4635ac-2ce6-4135-8d2b-d03b42860f05?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3382581%40advanced-database-cleaner&new=3382581%40advanced-database-cleaner&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Advanced Database Cleaner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.6. This is due to missing or incorrect nonce validation on the aDBc_prepare_elements_to_clean() function. This makes it possible for unauthenticated attackers to alter the keep last setting via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2025-64357 is a duplicate of this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:59.206Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11497", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:51:59.206Z", "dateReserved": "2025-10-08T13:52:49.482Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-25T06:49:22.013Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Advanced Database Cleaner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.6. This is due to missing or incorrect nonce validation on the aDBc_prepare_elements_to_clean() function. This makes it possible for unauthenticated attackers to alter the keep last setting via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2025-64357 is a duplicate of this issue."}], "id": "CVE-2025-11497", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-25T07:15:40.170", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3382581%40advanced-database-cleaner&new=3382581%40advanced-database-cleaner&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f4635ac-2ce6-4135-8d2b-d03b42860f05?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:46:01.285058+00:00", "value": {"mitigation_remediation": ["Install the latest version of Advanced Database Cleaner (any release higher than 3.1.6).", "If an upgrade is not feasible, deactivate or remove the plugin from the WordPress installation.", "If the plugin must remain, add a custom filter or hook to enforce nonce validation on the aDBc_prepare_elements_to_clean() endpoint (or deploy a Web Application Firewall rule to block forged requests lacking valid nonce tokens)."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized settings changes via CSRF"}, "threat_synthesis": {"affected_systems": "The plugin is developed by symptote and is called \"Advanced Database Cleaner \u2013 Optimize & Clean Database to Speed Up Site Performance\". All releases up to and including version 3.1.6 are vulnerable, while version 3.1.7 and later contain the fix.", "description_and_impact": "The Advanced Database Cleaner plugin for WordPress contains a Cross\u2011Site Request Forgery flaw that lets an attacker modify the \"keep last\" configuration by influencing an administrator to click a malicious link. The weakness arises from missing or incorrect nonce validation in the aDBc_prepare_elements_to_clean() function, a classic input validation problem (CWE\u201120).", "risk_and_exploitability": "The CVSS base score of 4.3 indicates a moderate impact; the EPSS score is less than 1%, suggesting a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an unauthenticated attacker to supply a forged request to the vulnerable function, and the attack relies on a victim administrator performing a legitimate action, typically clicking a crafted link. Because the flaw permits configuration changes, an attacker could manipulate database cleaning settings, potentially leading to unintended data removal or performance issues if the settings were altered from their intended state."}}}}, "created": "2025-10-27T22:10:13.480610+00:00", "updated": "2026-04-22T17:00:12.303580+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}