CVE-2025-10583 LOW

CVE-2025-10583: WP Fastest Cache Premium <= 1.7.4 - Missing Authorization to Authenticated (Subscriber+) Blind Server-Side Request Forgery

Vendor Emrevona
Product WP Fastest Cache Premium
Weakness CWE-862 · Missing authorization
Published December 12, 2025
Last update April 15, 2026

CVSS base score

3.5/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

The WP Fastest Cache Premium plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The free version is not affected.

Explanation of Vulnerability in Simple Terms

02Summary

WP Fastest Cache Premium versions up to 1.7.4 lack proper authorization checks, allowing authenticated users with low privileges to modify site settings they should not access. The vulnerability requires network access and an active user account but no additional user interaction. Scope is changed, meaning the impact extends beyond the vulnerable component itself.

What an attacker can do

03Attacker Capabilities

Modify site settings or configuration that should be restricted to higher-privilege users.

Potential impact on your site

04Site Impact

Low-privilege users (subscribers, contributors) can alter plugin settings intended only for administrators.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the WordPress site; network access required.

Key dates

06Disclosure timeline

December 12, 2025 CVE published
April 15, 2026 Record updated

Related vulnerabilities

08Related CVE