Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network AJAX endpoint requires subscriber authentication (PR:L); impact is cache deletion only, yielding low integrity and no confidentiality or availability effect.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The ThriveDesk - Live Chat, AI Chatbot, Helpdesk & Knowledge Base plugin for WordPress is vulnerable to unauthorized cache deletion due to a missing capability check on the 'thrivedesk_clear_cache' AJAX action in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin's cache.
AnalysisAI
Unauthorized cache deletion in the ThriveDesk WordPress plugin (all versions through 2.1.7) is possible by any authenticated user holding a Subscriber-level role or above, due to a missing capability check on the thrivedesk_clear_cache AJAX action. The root cause is a CWE-862 Missing Authorization flaw in includes/helper.php - any logged-in user can invoke the privileged cache-clearing function without role validation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at minimum Subscriber-level role (PR:L per CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) accurately characterizes the bounded scope of this flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a subscriber account on a target WordPress site running ThriveDesk 2.1.7 or earlier submits a crafted POST request to `wp-admin/admin-ajax.php` with the body parameter `action=thrivedesk_clear_cache` and a valid WordPress nonce. Because the handler performs no capability check, the server executes the cache-clearing routine and returns a success response. … |
| Remediation | Update ThriveDesk to version 2.2.0 or later; the fix is confirmed by the WordPress plugin repository changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3512748%40thrivedesk&new=3512748%40thrivedesk. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43146
GHSA-m58j-w5gx-pqhj