Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Acato WP REST Cache wp-rest-cache allows Stored XSS.This issue affects WP REST Cache: from n/a through <= 2026.1.0.
AnalysisAI
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Acato WP REST Cache WordPress plugin through version 2026.1.0, allowing attackers to inject and persist malicious JavaScript code that executes in the browsers of site administrators and users. This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and affects all installations of WP REST Cache up to and including version 2026.1.0. An attacker with appropriate access could inject stored XSS payloads that compromise administrator sessions, steal credentials, or modify site content.
Technical ContextAI
The vulnerability stems from improper input sanitization and output encoding in the WP REST Cache plugin (identified via CPE cpe:2.3:a:acato:wp_rest_cache:*:*:*:*:*:*:*:*), which is a WordPress REST API caching mechanism. The root cause is classified as CWE-79, indicating that user-supplied input is not properly neutralized before being rendered in HTML context during web page generation. WordPress REST API endpoints and cached data are likely involved in the attack surface, where an attacker can inject malicious scripts through REST API calls or cache poisoning that subsequently execute when cached content is served to site visitors and administrators.
RemediationAI
Immediately upgrade the WP REST Cache plugin to a patched version beyond 2026.1.0 once available from the Acato development team; check the official WordPress plugin repository or the vendor's website for the latest release. Until a patch is released, apply input validation and output encoding controls at the application or reverse proxy level, restrict REST API endpoint access to authenticated users only through WordPress authentication plugins or web application firewall rules, and consider disabling the REST API cache feature temporarily if operationally feasible. Monitor the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-rest-cache/vulnerability/wordpress-wp-rest-cache-plugin-2026-1-0-cross-site-scripting-xss-vulnerability for patch availability announcements and enable automatic plugin updates if supported by the WordPress deployment.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15663
GHSA-xx28-crrx-45xc