Description
The Nginx Cache Purge Preload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.1 via the 'nppp_preload_cache_on_update' function. This is due to insufficient sanitization of the $_SERVER['HTTP_REFERERER'] parameter passed from the 'nppp_handle_fastcgi_cache_actions_admin_bar' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
Published: 2025-07-22
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The WordPress Nginx Cache Purge Preload plugin, versions 2.1.1 and earlier, contains a code injection flaw (CWE-94). Unsanitized HTTP_REFERERER values passed through the admin bar handler allow an attacker who can authenticate as an Administrator or higher to supply arbitrary code that is then executed on the webserver. This flaw leads to full server compromise, giving attackers arbitrary command execution and data exfiltration capabilities.

Affected Systems

WordPress sites that have installed the Nginx Cache Purge Preload plugin version 2.1.1 or earlier. Security teams should inventory any installation of this plugin and check the version number against the known vulnerable releases.

Risk and Exploitability

The CVSS score of 7.2 indicates a serious severity, while the EPSS score of less than 1% suggests the likelihood of exploitation is low at present. The vulnerability is not listed in the CISA KEV catalog, but because it requires only an authenticated Administrator account, the scope of potential damage remains high. The likely attack vector is a web request originating from a legitimate administrator session that supplies a crafted HTTP_REFERERER header through the WordPress admin interface. Once executed, the injected code runs with the same privileges as the web server, enabling persistent compromise.

Generated by OpenCVE AI on April 20, 2026 at 20:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Nginx Cache Purge Preload plugin to the latest available version (or uninstall if no upgrade exists).
  • If upgrading is not immediately possible, disable the plugin’s admin‑bar functionality or remove the plugin entirely to eliminate the code execution path.
  • Configure the web server or application to whitelist allowable HTTP_REFERERER values and reject or neutralize unexpected content to mitigate future injection attempts.

Generated by OpenCVE AI on April 20, 2026 at 20:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22300 The Nginx Cache Purge Preload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.1 via the 'nppp_preload_cache_on_update' function. This is due to insufficient sanitization of the $_SERVER['HTTP_REFERERER'] parameter passed from the 'nppp_handle_fastcgi_cache_actions_admin_bar' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
History

Fri, 01 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
References

Wed, 23 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Psauxit
Psauxit nginx Cache Purge Preload
Wordpress
Wordpress wordpress
Vendors & Products Psauxit
Psauxit nginx Cache Purge Preload
Wordpress
Wordpress wordpress

Tue, 22 Jul 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 22 Jul 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Nginx Cache Purge Preload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.1 via the 'nppp_preload_cache_on_update' function. This is due to insufficient sanitization of the $_SERVER['HTTP_REFERERER'] parameter passed from the 'nppp_handle_fastcgi_cache_actions_admin_bar' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
Title Nginx Cache Purge Preload <= 2.1.1 - Authenticated (Administrator+) Remote Code Execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Psauxit Nginx Cache Purge Preload
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:37.182Z

Reserved: 2025-06-17T19:03:21.568Z

Link: CVE-2025-6213

cve-icon Vulnrichment

Updated: 2025-07-22T20:03:25.119Z

cve-icon NVD

Status : Deferred

Published: 2025-07-22T10:15:25.763

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6213

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:15:06Z

Weaknesses