– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-13749:
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the Clearfy WordPress optimization plugin. The flaw exists in the plugin’s Updates Manager component, specifically in the AJAX handler responsible for toggling update notifications. The vulnerability allows unauthenticated attackers to tamper with update settings, with a CVSS score of 4.3 (Medium severity).

The root cause is missing nonce validation in the `wbcr_upm_change_flag` function. This function, located in `/clearfy/components/updates-manager/admin/ajax/change-flag.php`, processes AJAX requests to change the ‘flag’ parameter, which controls whether update notifications are displayed for plugins or themes. The original vulnerable code, shown in the diff, lacked any CSRF token verification before executing privileged actions. The function only checked for the `install_plugins` capability via `current_user_can`, leaving it open to CSRF attacks.

Exploitation requires an attacker to trick an authenticated administrator with the `install_plugins` capability into submitting a forged request. The attack vector is a standard WordPress AJAX endpoint at `/wp-admin/admin-ajax.php`. The attacker crafts a request with the `action` parameter set to `wbcr_upm_change_flag` and includes the `flag` parameter, which can be set to `0` to disable update notifications or `1` to enable them. The payload is delivered via a malicious link or site that the victim visits, triggering a POST request to the vulnerable endpoint.

The patch adds CSRF protection in two locations. First, in `change-flag.php`, it inserts a call to `check_ajax_referer( ‘wbcr_upm_change_flag’ )` before the capability check. This function verifies the presence and validity of a WordPress nonce (number used once) specific to this action. Second, in `class-page-plugins.php`, the patch adds a `localize` call to inject a freshly generated nonce, named `wbcr_upm_change_flag`, into the page’s JavaScript context. This nonce is then included in legitimate AJAX requests from the plugin’s admin interface. The fix ensures that every state-changing request must include a valid, session-specific token that attackers cannot forge.

Successful exploitation disables update notifications for WordPress plugins and themes. This prevents administrators from seeing available security and feature updates. Attackers can leverage this to keep known vulnerable versions active on a site, facilitating further attacks. The impact is a loss of security visibility, which can be a precursor to more severe compromises if outdated, vulnerable software remains unpatched. The attack does not grant direct code execution or data theft but creates a persistent denial-of-service against the site’s update awareness.