CVE-2025-7822: 
WordPress vulnerability analysis and mitigation

The WP Wallcreeper plugin for WordPress contains a security vulnerability identified as CVE-2025-7822, discovered and disclosed on July 23, 2025. The vulnerability affects all versions up to and including 1.6.1 of the plugin. This security issue stems from a missing capability check on the admin_notices hook, which creates a potential security risk for WordPress installations using this plugin (NVD Database).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 Base Score of 4.3 (Medium severity). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and required low privileges for exploitation (NVD Database).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to enable and disable caching functionality within the plugin. This unauthorized access to caching controls could potentially affect the website's performance and security settings (NVD Database).

Website administrators running the WP Wallcreeper plugin should ensure they are not using versions 1.6.1 or earlier. The vulnerability was reported through Wordfence's threat intelligence system, suggesting that updates or patches may be available through official WordPress plugin channels (Wordfence).