WordPress Plugin Vulnerabilities

WP Fastest Cache < 1.4.1 - Subscriber+ DB Cleanup Actions

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the wpfc_db_fix_callback() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to initiate several database fix actions. This only affects sites with premium activated.

Affects Plugins

Plugin icon
wp-fastest-cache
Fixed in 1.4.1

References

CVE
CVE-2025-10476
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c24cf4de-1392-43a8-85a5-8c66c00c44d7

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
f7b223c0-196e-48f2-8669-c8cb848976d0

Timeline

Publicly Published
2025-11-26 (about 5 months ago)
Added
2025-11-27 (about 5 months ago)
Last Updated
2026-04-13 (about 29 days ago)

Other

Published
Title
Published
2024-03-28
Title
Sliced Invoices < 3.9.3 - Missing Authorization
Published
2023-03-07
Title
Coming Soon & Maintenance < 4.1.7 - Unauthenticated Post/Page Access in Maintenance Mode
Published
2024-04-09
Title
Essential Grid < 3.1.2 - Unauthenticated Private Post Disclosure
Published
2023-11-20
Title
BlossomThemes Email Newsletter < 2.2.5 - Missing Authorization
Published
2023-06-12
Title
WP Directory Kit < 1.2.4 - Missing Authorization for Plugin Settings Update