Webcraftic Clearfy – WordPress optimization plugin < 2.3.2 – Cross-Site Request Forgery to Clear Cache | CVE 2024-13338 | Plugin Vulnerabilities

Description

The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.1. This is due to missing or incorrect nonce validation on the wclearfy_cache_delete functionality . This makes it possible for unauthenticated attackers to clear the cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Fixed in 2.3.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e0a37ce4-9860-415e-bb88-545c30c95fc1

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Whit Taylor

Verified

No

WPVDB ID

3bebbbb5-9967-4259-9bc0-4665adf3ac9f

Timeline

Publicly Published

2025-04-11 (about 1 year ago)

Added

2025-04-11 (about 1 year ago)

Last Updated

2025-04-12 (about 1 year ago)

Other

Published

Title

Published

2025-05-07

Title

WPSpeed < 2.6.6 - Cross-Site Request Forgery

Published

2024-04-26

Title

Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation < 2.16.0 - Cross-Site Request Forgery to Notice Dismissal

Published

2024-10-14

Title

ProfileGrid < 5.9.3.1 - Cross-Site Request Forgery

Published

2025-03-19

Title

WP MultiTasking <= 0.1.12 - Permalink Suffix Update via CSRF

Published

2014-08-01

Title

Easy Media Gallery 1.2.25 - includes/emg-settings.php spg_add_admin Function Admin User Creation CSRF