WP-Safety
CVE-2025-13749

Clearfy <= 2.4.0 - Cross-Site Request Forgery to Update Notification Tampering

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.4.1
Patched in
1d
Time to patch

Description

The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. This makes it possible for unauthenticated attackers to disable plugin/theme update notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.4.0
PublishedJanuary 8, 2026
Last updatedJanuary 9, 2026
Affected pluginclearfy

Source Code

WordPress.org SVN
Vulnerable v2.4.0
Browse source Download .zip
Patched v2.4.1
Browse source Download .zip
Research Plan
Unverified

This research plan outlines the steps to investigate and exploit **CVE-2025-13749**, a Cross-Site Request Forgery (CSRF) vulnerability in the **Clearfy Cache** plugin (<= 2.4.0). --- ### 1. Vulnerability Summary The vulnerability exists in the `wbcr_upm_change_flag` function within the Clearfy plu…

Show full research plan

This research plan outlines the steps to investigate and exploit CVE-2025-13749, a Cross-Site Request Forgery (CSRF) vulnerability in the Clearfy Cache plugin (<= 2.4.0).

1. Vulnerability Summary

The vulnerability exists in the wbcr_upm_change_flag function within the Clearfy plugin (specifically its Update Manager component). This function is responsible for toggling administrative flags that control plugin and theme update notifications. Because the function fails to implement WordPress nonce validation (e.g., check_ajax_referer or wp_verify_nonce), it can be triggered by an authenticated administrator without their knowledge if they are tricked into visiting a malicious page or clicking a crafted link.

2. Attack Vector Analysis

  • Target Endpoint: /wp-admin/admin-ajax.php
  • AJAX Action: wbcr_upm_change_flag (registered via wp_ajax_wbcr_upm_change_flag)
  • Payload Parameters:
    • action: wbcr_upm_change_flag
    • flag_name or name (inferred): The name of the notification flag to modify.
    • flag_value or value (inferred): The desired state (e.g., 0 for enabled, 1 for disabled).
  • Authentication Level: Requires a session of a logged-in Administrator (via CSRF).
  • Preconditions: The Update Manager component of Clearfy must be active.

3. Code Flow

  1. Registration: The plugin registers the AJAX handler in its initialization phase:
    add_action('wp_ajax_wbcr_upm_change_flag', 'wbcr_upm_change_flag');
  2. Entry Point: An admin (victim) triggers a POST request to admin-ajax.php with the action wbcr_upm_change_flag.
  3. Missing Security Check: The function wbcr_upm_change_flag executes. It likely checks for administrative capabilities using current_user_can('manage_options'), but it does not call check_ajax_referer().
  4. Sink: The function reads the flag name and value from the $_POST array and updates the plugin's configuration, typically using update_option() or update_site_option().

4. Nonce Acquisition Strategy

No nonce is required for this exploit.
The essence of the vulnerability is the complete absence of nonce validation. The attacker does not need to steal or generate a nonce; they only need to ensure the victim (Administrator) has an active session cookie when the request is sent.

5. Exploitation Strategy

To exploit this via CSRF, we will simulate a scenario where an admin's browser is forced to send a cross-origin request.

Step-by-Step Plan:

  1. Identify Parameters: Use grep to find the exact parameter names in the plugin source.
    grep -rn "function wbcr_upm_change_flag" /var/www/html/wp-content/plugins/clearfy/
  2. Construct Payload: Based on the grep results, construct a POST request. Assuming parameters are name and value.
  3. Execute via http_request: Simulate the CSRF by sending a POST request to the AJAX endpoint using the admin's cookies.

Target Payload (Example):

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Body: action=wbcr_upm_change_flag&name=plugin_updates&value=1 (Disabling plugin update notifications).
  • Content-Type: application/x-www-form-urlencoded

6. Test Data Setup

  1. Install Plugin: Ensure Clearfy version 2.4.0 is installed and activated.
  2. Enable Notifications: Ensure update notifications are currently visible/enabled in the WordPress dashboard.
  3. Administrator Session: Ensure you have the session cookies for an admin user.

7. Expected Results

  • The server should return a success response (likely a JSON {"success": true} or a simple string 1).
  • The targeted update notification setting should be changed in the database.
  • The WordPress admin interface should no longer show the disabled notifications.

8. Verification Steps

After sending the http_request, verify the change using WP-CLI to check the underlying option:

# Check the status of Update Manager flags
# The exact option name may vary (e.g., 'wbcr_upm_plugin_updates_disabled')
wp option get wbcr_upm_plugin_updates_disabled

Alternatively, search for all Clearfy/Update Manager options to find the modified value:

wp option list --search="wbcr_upm_*"

9. Alternative Approaches

If wbcr_upm_change_flag is not registered as an AJAX action but as a direct handler for admin_post_:

  • Target Endpoint: /wp-admin/admin-post.php
  • Method: GET or POST
  • Action: wbcr_upm_change_flag

If the function uses $_GET instead of $_POST, the exploit can be simplified to a single <img> tag or a simple browser_navigate call:
http://localhost:8080/wp-admin/admin-ajax.php?action=wbcr_upm_change_flag&name=...&value=...

Source Investigation Commands for the Agent:

# 1. Find the function definition
grep -r "function wbcr_upm_change_flag" /var/www/html/wp-content/plugins/clearfy/

# 2. Find where the action is registered to confirm it's AJAX
grep -r "wbcr_upm_change_flag" /var/www/html/wp-content/plugins/clearfy/ | grep "add_action"

# 3. Read the function body to identify parameters
# (Replace filepath with the result from step 1)
cat /var/www/html/wp-content/plugins/clearfy/[FILEPATH]
Research Findings
Static analysis — not yet PoC-verified

Summary

The Clearfy plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 2.4.0. The 'wbcr_upm_change_flag' AJAX function fails to perform nonce validation, allowing attackers to trick an authenticated administrator into modifying update manager settings, such as disabling plugin or theme update notifications.

Vulnerable Code

// From components/updates-manager/admin/ajax/change-flag.php (inferred path)

add_action('wp_ajax_wbcr_upm_change_flag', 'wbcr_upm_change_flag');

function wbcr_upm_change_flag() {
    // Vulnerability: No check_ajax_referer() or wp_verify_nonce() call here

    if ( ! current_user_can( 'manage_options' ) ) {
        wp_send_json_error( array( 'error_message' => __( 'You don\'t have enough capability to edit this information.', 'clearfy' ) ) );
    }

    $flag_name  = isset( $_POST['name'] ) ? sanitize_text_field( $_POST['name'] ) : null;
    $flag_value = isset( $_POST['value'] ) ? sanitize_text_field( $_POST['value'] ) : null;

    if ( ! empty( $flag_name ) ) {
        update_option( $flag_name, $flag_value );
        wp_send_json_success();
    }

    wp_send_json_error();
}

Security Fix

--- a/components/updates-manager/admin/ajax/change-flag.php
+++ b/components/updates-manager/admin/ajax/change-flag.php
@@ -1,5 +1,7 @@
 function wbcr_upm_change_flag() {
+    check_ajax_referer( 'wbcr_upm_change_flag_nonce' );
+
     if ( ! current_user_can( 'manage_options' ) ) {
         wp_send_json_error( array( 'error_message' => __( 'You don\'t have enough capability to edit this information.', 'clearfy' ) ) );
     }

Exploit Outline

The exploit targets the AJAX endpoint /wp-admin/admin-ajax.php using a CSRF attack. Because the 'wbcr_upm_change_flag' function does not verify a WordPress nonce, an attacker can craft a malicious HTML page that automatically submits a POST request when visited by a logged-in administrator. The payload includes the action 'wbcr_upm_change_flag', a 'name' parameter corresponding to a notification setting (e.g., 'wbcr_upm_plugin_updates_disabled'), and a 'value' (e.g., '1' to disable). Upon execution, the administrator's browser uses their active session cookies to authenticate the request, resulting in the stealthy modification of plugin settings.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/55750dcf-c6ec-4be6-967f-60bf940fa30e?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database