Advanced Database Cleaner < 3.1.7 – Settings Manipulation via CSRF | CVE 2025-11497 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the aDBc_prepare_elements_to_clean() function. This makes it possible for unauthenticated attackers to alter the keep last setting via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

advanced-database-cleaner

Fixed in 3.1.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4f4635ac-2ce6-4135-8d2b-d03b42860f05

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bao - BlueRock

Verified

No

WPVDB ID

68959dac-a3e5-4281-92db-2b956d3db8da

Timeline

Publicly Published

2025-10-24 (about 6 months ago)

Added

2025-10-27 (about 6 months ago)

Last Updated

2025-10-27 (about 6 months ago)

Other

Published

Title

Published

2025-06-27

Title

Cyrlitera < 1.3.1 - Cross-Site Request Forgery

Published

2024-04-26

Title

WP GDPR Compliance <= 2.0.23 - Cross-Site Request Forgery

Published

2023-11-02

Title

Kadence WooCommerce Email Designer < 1.5.12 - CSRF

Published

2019-08-23

Title

WooCommerce Address Book < 1.6.0 - CSRF

Published

2023-10-16

Title

MailChimp Forms by MailMunch < 3.1.5 - Arbitrary Actions via CSRF