Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Media WP Rocket allows Stored XSS.This issue affects WP Rocket: from n/a through 3.19.4.
Published: 2026-03-19
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

Improper neutralization of input during web page generation allows an attacker to store malicious script content that will be executed when normal users view affected pages. The vulnerability is a stored cross‑site scripting (XSS) flaw, meaning that once an attacker can submit or modify data that the WP Rocket plugin retains, the malicious code will run in the browsers of site visitors. Potential impact includes theft of session cookies, defacement of site content, or execution of further web‑based attacks against site users.

Affected Systems

The WP Media WP Rocket plugin for WordPress is affected, specifically any installation running a version from the earliest available up to and including 3.19.4. Versions 3.20.0.2 and later are not affected.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through user‑submitable content that the plugin stores; an attacker would need the ability to create or edit such content, typically via an admin, editor, or by exploiting the plugin’s configuration interface.

Generated by OpenCVE AI on March 19, 2026 at 06:50 UTC.

Remediation

Vendor Solution

Update the WordPress WP Rocket plugin to the latest available version (at least 3.20.0.2).

OpenCVE Recommended Actions

  • Update the WordPress WP Rocket plugin to version 3.20.0.2 or later.
  • Remove or disable the WP Rocket plugin until the patch is applied.

Generated by OpenCVE AI on March 19, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Media
Wp Media wp Rocket
Vendors & Products Wordpress
Wordpress wordpress
Wp Media
Wp Media wp Rocket

Thu, 19 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Media WP Rocket allows Stored XSS.This issue affects WP Rocket: from n/a through 3.19.4.
Title WordPress WP Rocket plugin <= 3.19.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wp Media Wp Rocket
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-19T13:52:45.697Z

Reserved: 2026-02-25T12:13:30.134Z

Link: CVE-2026-28044

cve-icon Vulnrichment

Updated: 2026-03-19T13:52:41.279Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T06:16:26.173

Modified: 2026-03-19T13:25:00.570

Link: CVE-2026-28044

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:55:23Z

Weaknesses