CVE-2025-7822 is a vulnerability identified in the WP Wallcreeper plugin for WordPress, affecting all versions up to and including 1.6.1. The root cause is a missing authorization check (CWE-862) on the admin_notices hook, which is a WordPress action used to display administrative notices. This flaw allows any authenticated user with at least Subscriber-level privileges to modify caching settings by enabling or disabling caching, actions that should normally be restricted to administrators or users with higher privileges. The vulnerability does not require user interaction and can be exploited remotely over the network. While the vulnerability does not expose confidential data or cause denial of service, it permits unauthorized integrity changes to site configuration, potentially impacting site performance and behavior. The CVSS v3.1 score is 4.3 (medium), with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, no confidentiality or availability impact, but partial integrity impact. No patches or known exploits are currently available, so mitigation relies on restricting access and monitoring until a fix is released.

The primary impact of this vulnerability is unauthorized modification of caching settings within WordPress sites using the WP Wallcreeper plugin. This can lead to unintended enabling or disabling of caching, which may degrade site performance, increase server load, or cause inconsistent content delivery. Although it does not directly compromise sensitive data or availability, the integrity of site configuration is affected, which could be leveraged as part of a broader attack chain. Attackers with low-level authenticated access (Subscriber or higher) can exploit this, which is significant because such roles are commonly assigned to registered users or contributors in many WordPress deployments. Organizations relying on WP Wallcreeper for caching or site optimization may experience reduced site reliability or performance issues, potentially impacting user experience and operational efficiency. The vulnerability could also be used to bypass caching-based security controls or monitoring, indirectly facilitating further attacks.

Until an official patch is released, organizations should implement strict access controls to limit Subscriber-level and higher accounts to trusted users only. Review and audit user roles and permissions to ensure minimal privilege principles are enforced. Disable or remove the WP Wallcreeper plugin if caching control is not critical or if alternative caching solutions are available. Monitor WordPress logs and admin notices for unusual changes to caching settings. Employ Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized attempts to modify caching configurations via the admin_notices hook. Keep WordPress core and all plugins updated regularly and subscribe to vendor advisories for timely patch releases. Consider implementing multi-factor authentication (MFA) to reduce the risk of compromised accounts being used to exploit this vulnerability.