{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7822", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-18T17:42:40.994Z", "datePublished": "2025-07-24T09:22:18.285Z", "dateUpdated": "2026-04-08T16:57:06.471Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:06.471Z"}, "affected": [{"vendor": "alexalouit", "product": "WP Wallcreeper", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Wallcreeper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_notices hook in all versions up to, and including, 1.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable and disable caching."}], "title": "WP Wallcreeper <= 1.6.1 - Missing Authorization to Authenticated (Susbcriber+) Cache Enable/Disable", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/629f36e3-f4a4-43a6-a98b-960088c8dd77?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-wallcreeper/trunk/wp-wallcreeper.php#L166"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "ch4r0n"}], "timeline": [{"time": "2025-07-23T20:39:34.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-24T13:35:31.208350Z", "id": "CVE-2025-7822", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T13:35:43.601Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7822", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-24T13:35:31.208350Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T13:35:38.266Z"}}], "cna": {"title": "WP Wallcreeper <= 1.6.1 - Missing Authorization to Authenticated (Susbcriber+) Cache Enable/Disable", "credits": [{"lang": "en", "type": "finder", "value": "ch4r0n"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "alexalouit", "product": "WP Wallcreeper", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.6.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-23T20:39:34.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/629f36e3-f4a4-43a6-a98b-960088c8dd77?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-wallcreeper/trunk/wp-wallcreeper.php#L166"}], "descriptions": [{"lang": "en", "value": "The WP Wallcreeper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_notices hook in all versions up to, and including, 1.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable and disable caching."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:06.471Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7822", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:57:06.471Z", "dateReserved": "2025-07-18T17:42:40.994Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-24T09:22:18.285Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Wallcreeper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_notices hook in all versions up to, and including, 1.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable and disable caching."}, {"lang": "es", "value": "El complemento WP Wallcreeper para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de una comprobaci\u00f3n de capacidad en el gancho admin_notices en todas las versiones hasta la 1.6.1 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, habiliten y deshabiliten el almacenamiento en cach\u00e9."}], "id": "CVE-2025-7822", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-24T10:15:28.763", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-wallcreeper/trunk/wp-wallcreeper.php#L166"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/629f36e3-f4a4-43a6-a98b-960088c8dd77?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T04:03:54.913970+00:00", "value": {"mitigation_remediation": ["Upgrade WP Wallcreeper to version 1.6.2 or later where the capability check is enforced", "Audit the WordPress user roles to confirm that Subscriber accounts do not possess the capability to modify caching settings; adjust role definitions if necessary", "Apply a role\u2011management plugin or configuration to restrict cache\u2011control capabilities exclusively to administrators or designated roles"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized modification of plugin caching settings by authenticated subscribers and above"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the WP Wallcreeper plugin, versions 1.6.1 and all earlier releases. Any site that has the plugin activated and an authenticated user with Subscriber or higher privileges is at risk.", "description_and_impact": "The WP Wallcreeper WordPress plugin contains a missing capability check on the admin_notices hook in all releases up to and including 1.6.1. This flaw, identified as CWE\u2011862 (Missing Authorization), permits any authenticated user with Subscriber-level access or higher to enable or disable the plugin's caching feature, thereby altering site behavior without proper authorization. The vulnerability does not expose remote code execution or direct data exfiltration but enables an attacker to tamper with site performance and potentially disrupt content delivery.", "risk_and_exploitability": "The CVSS score of 4.3 reflects a moderate impact for authorized users, while the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires only that the attacker is logged into the WordPress admin area; no additional vulnerabilities or elevated privileges are needed beyond the standard role permissions. The attack vector is the web application through the admin_notices hook, inferred from the description."}}}}, "created": "2025-07-24T21:26:42.465216+00:00", "updated": "2026-04-22T04:15:07.535006+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}