{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12014", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-21T13:36:53.831Z", "datePublished": "2025-10-24T08:24:01.389Z", "dateUpdated": "2026-04-08T17:02:58.438Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:58.438Z"}, "affected": [{"vendor": "getclouder", "product": "NGINX Cache Optimizer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The NGINX Cache Optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nginxcacheoptimizer-blacklist-update' AJAX action in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add URLs to the Exclude URLs From Dynamic Caching setting."}], "title": "NGINX Cache Optimizer <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Dynamic Caching Exclusion Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7dd18e4e-9aa6-403e-aec3-21f33d739066?source=cve"}, {"url": "https://wordpress.org/plugins/nginx-cache-optimizer/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2025-10-23T20:08:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-24T12:10:45.631019Z", "id": "CVE-2025-12014", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-24T12:30:36.012Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12014", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-24T12:10:45.631019Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-24T12:10:46.363Z"}}], "cna": {"title": "NGINX Cache Optimizer <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Dynamic Caching Exclusion Update", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "getclouder", "product": "NGINX Cache Optimizer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-23T20:08:31.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7dd18e4e-9aa6-403e-aec3-21f33d739066?source=cve"}, {"url": "https://wordpress.org/plugins/nginx-cache-optimizer/"}], "descriptions": [{"lang": "en", "value": "The NGINX Cache Optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nginxcacheoptimizer-blacklist-update' AJAX action in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add URLs to the Exclude URLs From Dynamic Caching setting."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:58.438Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12014", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:02:58.438Z", "dateReserved": "2025-10-21T13:36:53.831Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-24T08:24:01.389Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The NGINX Cache Optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nginxcacheoptimizer-blacklist-update' AJAX action in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add URLs to the Exclude URLs From Dynamic Caching setting."}], "id": "CVE-2025-12014", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-24T09:15:43.757", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/nginx-cache-optimizer/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7dd18e4e-9aa6-403e-aec3-21f33d739066?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:38:50.620073+00:00", "value": {"mitigation_remediation": ["Upgrade NGINX Cache Optimizer to version 1.2 or later", "Remove or restrict the \u2018nginxcacheoptimizer-blacklist-update\u2019 capability from Subscriber users", "Verify that all AJAX endpoints in the plugin perform proper capability checks and monitor for unauthorized changes"], "summary": {"action": "Update Plugin", "impact": "Unauthorized modification of dynamic caching exclusion settings"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to installations of the getclouder NGINX Cache Optimizer WordPress plugin with versions up to and including 1.1. Any WordPress site that has this plugin installed and does not have a later patched version is affected.", "description_and_impact": "The NGINX Cache Optimizer plugin for WordPress fails to enforce a capability check on the \u2018nginxcacheoptimizer-blacklist-update\u2019 AJAX action. As a result, any authenticated user with Subscriber level access or higher can send a crafted request to add or alter URLs in the Exclude URLs From Dynamic Caching setting. This unauthorized modification allows an attacker to manipulate the caching behaviour of a WordPress site, potentially causing legitimate pages to be cached or excluded inappropriately, which may lead to degraded performance, incorrect content delivery, or inadvertent exposure of sensitive information to cache. The associated weakness is a missing authorization check (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1% shows that the likelihood of exploitation in the wild is low, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an authenticated attacker who can log into the WordPress site with Subscriber or higher privileges. Once authenticated, the attacker simply triggers the AJAX endpoint to modify the exclusion list. Because no elevated privileges or remote code execution is needed, the risk is primarily confined to the site's caching configuration rather than to full system compromise."}}}}, "created": "2025-10-27T22:13:09.820880+00:00", "updated": "2026-04-22T12:45:17.025058+00:00", "vendors": ["getclouder", "getclouder$PRODUCT$nginx_cache_optimizer", "wordpress", "wordpress$PRODUCT$wordpress"]}