{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14168", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T21:24:56.492Z", "datePublished": "2025-12-20T03:20:24.069Z", "dateUpdated": "2026-04-08T17:23:40.808Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:40.808Z"}, "affected": [{"vendor": "wpmaniax", "product": "WP DB Booster", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP DB Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the cleanup_all AJAX action. This makes it possible for unauthenticated attackers to delete database records including post drafts, revisions, comments, and metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "WP DB Booster <= 1.0.1 - Cross-Site Request Forgery to Database Cleanup", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc0af0a4-81b5-425e-aba3-0c422aa33634?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-db-booster/trunk/admin/class-wp-db-booster-admin.php#L336"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-db-booster/tags/1.0.1/admin/class-wp-db-booster-admin.php#L336"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2025-12-19T15:05:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-22T20:30:48.357881Z", "id": "CVE-2025-14168", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T20:30:54.223Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14168", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-22T20:30:48.357881Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T20:30:51.272Z"}}], "cna": {"title": "WP DB Booster <= 1.0.1 - Cross-Site Request Forgery to Database Cleanup", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpmaniax", "product": "WP DB Booster", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-19T15:05:46.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc0af0a4-81b5-425e-aba3-0c422aa33634?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-db-booster/trunk/admin/class-wp-db-booster-admin.php#L336"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-db-booster/tags/1.0.1/admin/class-wp-db-booster-admin.php#L336"}], "descriptions": [{"lang": "en", "value": "The WP DB Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the cleanup_all AJAX action. This makes it possible for unauthenticated attackers to delete database records including post drafts, revisions, comments, and metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:40.808Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14168", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:23:40.808Z", "dateReserved": "2025-12-05T21:24:56.492Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-20T03:20:24.069Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP DB Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the cleanup_all AJAX action. This makes it possible for unauthenticated attackers to delete database records including post drafts, revisions, comments, and metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-14168", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-20T04:16:07.840", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-db-booster/tags/1.0.1/admin/class-wp-db-booster-admin.php#L336"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-db-booster/trunk/admin/class-wp-db-booster-admin.php#L336"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc0af0a4-81b5-425e-aba3-0c422aa33634?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:21:26.500909+00:00", "value": {"mitigation_remediation": ["Upgrade WP DB Booster to version 1.0.2 or later, which removes the CSRF flaw.", "If an immediate upgrade is not possible, restrict administrator access to the WordPress dashboard with IP whitelisting or two\u2011factor authentication to reduce the chance of an accidental CSRF request.", "Disable or remove the cleanup_all AJAX endpoint from the plugin until the vulnerability is patched, or disable the plugin entirely until a fix is available."], "summary": {"action": "Patch", "impact": "Unrestricted Database Deletion via CSRF"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WP Maniax WP DB Booster plugin versions up to and including 1.0.1; any WordPress site installing these versions is exposed if an administrator\u2019s dashboard is accessed.", "description_and_impact": "WP DB Booster, a WordPress plugin, is vulnerable to Cross\u2011Site Request Forgery due to missing nonce validation on the cleanup_all AJAX action. The flaw allows an unauthenticated attacker to forge a request that, if an administrator is tricked into clicking a malicious link, results in the permanent deletion of database records such as post drafts, revisions, comments and metadata.", "risk_and_exploitability": "The CVSS score of 4.3 reflects moderate severity, and the EPSS score below 1% indicates a very low exploitation probability. Because the exploit requires the victim to act as an administrator, the attack is not fully remote and is listed as not in CISA KEV. Nonetheless, any site that can be tricked into executing the action is at risk of data loss; the absence of a nonce means the action can be called from any origin with no authentication, making the flaw readily exploitable with a simple forged link."}}}}, "created": "2025-12-21T21:12:33.652831+00:00", "updated": "2026-04-20T21:30:18.570964+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}