Skip to main content

Wp Rest Cache CVE-2026-25347

| EUVDEUVD-2026-15663 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-xx28-crrx-45xc
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15663
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Acato WP REST Cache wp-rest-cache allows Stored XSS.This issue affects WP REST Cache: from n/a through <= 2026.1.0.

AnalysisAI

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Acato WP REST Cache WordPress plugin through version 2026.1.0, allowing attackers to inject and persist malicious JavaScript code that executes in the browsers of site administrators and users. This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and affects all installations of WP REST Cache up to and including version 2026.1.0. An attacker with appropriate access could inject stored XSS payloads that compromise administrator sessions, steal credentials, or modify site content.

Technical ContextAI

The vulnerability stems from improper input sanitization and output encoding in the WP REST Cache plugin (identified via CPE cpe:2.3:a:acato:wp_rest_cache:*:*:*:*:*:*:*:*), which is a WordPress REST API caching mechanism. The root cause is classified as CWE-79, indicating that user-supplied input is not properly neutralized before being rendered in HTML context during web page generation. WordPress REST API endpoints and cached data are likely involved in the attack surface, where an attacker can inject malicious scripts through REST API calls or cache poisoning that subsequently execute when cached content is served to site visitors and administrators.

RemediationAI

Immediately upgrade the WP REST Cache plugin to a patched version beyond 2026.1.0 once available from the Acato development team; check the official WordPress plugin repository or the vendor's website for the latest release. Until a patch is released, apply input validation and output encoding controls at the application or reverse proxy level, restrict REST API endpoint access to authenticated users only through WordPress authentication plugins or web application firewall rules, and consider disabling the REST API cache feature temporarily if operationally feasible. Monitor the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-rest-cache/vulnerability/wordpress-wp-rest-cache-plugin-2026-1-0-cross-site-scripting-xss-vulnerability for patch availability announcements and enable automatic plugin updates if supported by the WordPress deployment.

Share

CVE-2026-25347 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy