CVE-2025-6213
The Nginx Cache Purge Preload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.1 via the 'nppp_preload_cache_on_update' function. This is due to insufficient sanitization of the $_SERVER['HTTP_REFERERER'] parameter passed from the 'nppp_handle_fastcgi_cache_actions_admin_bar' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
No affected software listed.
- https://github.com/psaux-it/nginx-fastcgi-cache-purge-and-preload
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3332176%40fastcgi-cache-purge-and-preload-nginx&new=3332176%40fastcgi-cache-purge-and-preload-nginx&sfp_email=&sfph_mail=#file15
- https://wordpress.org/plugins/fastcgi-cache-purge-and-preload-nginx/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bbe8c101-5e0a-4ba7-8ff7-4c8ed01e9ef5?source=cve
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime