CVE-2025-14168 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the WP DB Booster plugin for WordPress, affecting all versions up to and including 1.0.1. The vulnerability stems from the absence of nonce validation on the cleanup_all AJAX action endpoint. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and not from malicious third parties. Without nonce validation, attackers can craft malicious requests that, when executed by an authenticated administrator (typically by clicking a link), trigger the cleanup_all action. This action deletes critical database records including post drafts, revisions, comments, and metadata, potentially causing data loss and content disruption. The vulnerability requires no prior authentication, but does require user interaction from an administrator, making social engineering a key attack vector. The CVSS v3.1 score is 4.3 (medium), reflecting the limited impact on confidentiality and availability but notable integrity impact due to unauthorized data deletion. No patches or exploit code are currently publicly available, but the vulnerability is documented and should be addressed promptly. The plugin’s widespread use in WordPress sites makes this a relevant threat, especially for sites with multiple administrators or high-value content.

The primary impact of this vulnerability is unauthorized deletion of database content, including post drafts, revisions, comments, and metadata, which can disrupt website operations and content integrity. For organizations relying on WordPress sites with the WP DB Booster plugin, this can lead to data loss, degraded user experience, and potential reputational damage. Although the vulnerability does not allow direct data theft or site takeover, the loss of content and metadata can require significant recovery efforts and downtime. Attackers exploiting this flaw could selectively target high-value content or disrupt editorial workflows. Since exploitation requires tricking an administrator, organizations with less security awareness or high administrator turnover are at greater risk. The vulnerability does not impact confidentiality or availability directly but compromises data integrity, which is critical for content management systems. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as exploit code could emerge following public disclosure.

Organizations should immediately verify if the WP DB Booster plugin is installed and identify the version in use. Since no official patches are currently available, administrators should implement manual mitigations such as adding nonce validation to the cleanup_all AJAX action to ensure requests are legitimate. Restricting AJAX actions to authenticated users with appropriate capabilities can also reduce risk. Administrators should be trained to recognize phishing and social engineering attempts to prevent inadvertent execution of malicious links. Monitoring web server logs for suspicious AJAX requests targeting cleanup_all can help detect attempted exploitation. Regular backups of WordPress databases and content are essential to enable recovery from unauthorized deletions. Organizations should subscribe to vendor advisories and update the plugin promptly once a patch is released. Additionally, consider disabling or replacing the plugin if it is not critical to operations until a secure version is available.