WP Wallcreeper <= 1.6.1 - Missing Authorization to Authenticated (Susbcriber+) Cache Enable/Disable

July 24, 2025 invoker category_cve

CVE Details

Basic Information

Title WP Wallcreeper <= 1.6.1 - Missing Authorization to Authenticated (Susbcriber+) Cache Enable/Disable
Type cve
Published 2025-07-24T09:22:18.285Z
Modified 2025-07-24T09:22:18.285Z

Product Information

Vendor alexalouit
Product WP Wallcreeper
Version *

CVSS Information

Base Score 4.3 (MEDIUM)
Attack Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Affected Products

  • alexalouit WP Wallcreeper *

Additional Information

CWE List CWE-862
Source Wordfence

Description

The WP Wallcreeper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_notices hook in all versions up to, and including, 1.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable and disable caching.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.