Skip to main content

ThriveDesk EUVDEUVD-2026-43146

| CVE-2026-1832 MEDIUM
Missing Authorization (CWE-862)
2026-07-11 Wordfence GHSA-m58j-w5gx-pqhj
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network AJAX endpoint requires subscriber authentication (PR:L); impact is cache deletion only, yielding low integrity and no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 05:22 vuln.today
CVE Published
Jul 11, 2026 - 03:44 nvd
MEDIUM 4.3

DescriptionCVE.org

The ThriveDesk - Live Chat, AI Chatbot, Helpdesk & Knowledge Base plugin for WordPress is vulnerable to unauthorized cache deletion due to a missing capability check on the 'thrivedesk_clear_cache' AJAX action in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin's cache.

AnalysisAI

Unauthorized cache deletion in the ThriveDesk WordPress plugin (all versions through 2.1.7) is possible by any authenticated user holding a Subscriber-level role or above, due to a missing capability check on the thrivedesk_clear_cache AJAX action. The root cause is a CWE-862 Missing Authorization flaw in includes/helper.php - any logged-in user can invoke the privileged cache-clearing function without role validation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress Subscriber-level account
Exploit
Craft POST to wp-admin/admin-ajax.php with action=thrivedesk_clear_cache
Execution
Missing capability check bypassed
Impact
Plugin cache deleted without authorization

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with at minimum Subscriber-level role (PR:L per CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) accurately characterizes the bounded scope of this flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a subscriber account on a target WordPress site running ThriveDesk 2.1.7 or earlier submits a crafted POST request to `wp-admin/admin-ajax.php` with the body parameter `action=thrivedesk_clear_cache` and a valid WordPress nonce. Because the handler performs no capability check, the server executes the cache-clearing routine and returns a success response. …
Remediation Update ThriveDesk to version 2.2.0 or later; the fix is confirmed by the WordPress plugin repository changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3512748%40thrivedesk&new=3512748%40thrivedesk. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43146 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy