Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shanaver CloudFlare(R) Cache Purge cloudflare-cache-purge allows Reflected XSS.This issue affects CloudFlare(R) Cache Purge: from n/a through <= 1.2.
Published: 2025-01-31
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation leads to a reflected cross‑site scripting vulnerability in the CloudFlare(R) Cache Purge plugin. The flaw permits execution of arbitrary client‑side script code when a user visits a page containing the unescaped input. Because the vulnerability is a CWE‑79 weakness, it can potentially compromise the confidentiality of user data or allow an attacker to hijack browser sessions.

Affected Systems

The affected product is the CloudFlare(R) Cache Purge WordPress plugin developed by shanaver. All releases from the earliest available version up to and including 1.2 are vulnerable. This includes any installation running version 1.2 or earlier, since the CVE description provides no further version granularity.

Risk and Exploitability

The CVSS score of 7.1 classifies the issue as high severity, but the EPSS score of less than 1% indicates a very low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is web‑based, and based on the description, it is inferred that an attacker may need to supply malicious input that is reflected in the rendered page to trigger script execution.

Generated by OpenCVE AI on May 2, 2026 at 09:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the CloudFlare(R) Cache Purge plugin to any version newer than 1.2, which contains a fix for the reflected XSS flaw.
  • If an upgrade is not possible, remove or disable the plugin to eliminate the attack surface.
  • Apply a web application firewall rule that blocks or sanitizes input containing suspicious script elements targeting the plugin’s interfaces.

Generated by OpenCVE AI on May 2, 2026 at 09:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2732 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bryan Shanaver @ fiftyandfifty.org CloudFlare(R) Cache Purge allows Reflected XSS. This issue affects CloudFlare(R) Cache Purge: from n/a through 1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bryan Shanaver @ fiftyandfifty.org CloudFlare(R) Cache Purge allows Reflected XSS. This issue affects CloudFlare(R) Cache Purge: from n/a through 1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shanaver CloudFlare(R) Cache Purge cloudflare-cache-purge allows Reflected XSS.This issue affects CloudFlare(R) Cache Purge: from n/a through <= 1.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00035}

 epss

{'score': 0.00045}

Fri, 31 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 31 Jan 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bryan Shanaver @ fiftyandfifty.org CloudFlare(R) Cache Purge allows Reflected XSS. This issue affects CloudFlare(R) Cache Purge: from n/a through 1.2.
Title WordPress CloudFlare(R) Cache Purge plugin <= 1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:59.605Z

Reserved: 2025-01-03T13:16:33.553Z

Link: CVE-2025-22332

cve-icon Vulnrichment

Updated: 2025-01-31T19:28:56.284Z

cve-icon NVD

Status : Deferred

Published: 2025-01-31T09:15:07.317

Modified: 2026-06-17T08:46:32.550

Link: CVE-2025-22332

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:30:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')