← Retour aux CVEs

CVE-2025-6213

HIGH

7.2

Description

The Nginx Cache Purge Preload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.1 via the 'nppp_preload_cache_on_update' function. This is due to insufficient sanitization of the $_SERVER['HTTP_REFERERER'] parameter passed from the 'nppp_handle_fastcgi_cache_actions_admin_bar' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.

Details CVE

Score CVSS v3.17.2

SeveriteHIGH

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisHIGH

Interaction utilisateurNONE

Publie7/22/2025

Derniere modification8/1/2025

Sourcenvd

Observations honeypot0

Faiblesses (CWE)

CWE-94

References

https://github.com/psaux-it/nginx-fastcgi-cache-purge-and-preload(security@wordfence.com)

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3332176%40fastcgi-cache-purge-and-preload-nginx&new=3332176%40fastcgi-cache-purge-and-preload-nginx&sfp_email=&sfph_mail=#file15(security@wordfence.com)

https://wordpress.org/plugins/fastcgi-cache-purge-and-preload-nginx/(security@wordfence.com)

https://www.wordfence.com/threat-intel/vulnerabilities/id/bbe8c101-5e0a-4ba7-8ff7-4c8ed01e9ef5?source=cve(security@wordfence.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.