Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Media WP Rocket allows Stored XSS.This issue affects WP Rocket: from n/a through 3.19.4.
AnalysisAI
WP Rocket, a popular WordPress performance optimization plugin, contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to 3.19.4 that allows authenticated attackers with high privileges to inject malicious scripts into web pages. An attacker with administrator or equivalent access can craft specially-formatted input that bypasses input sanitization, resulting in persistent XSS that executes in the browsers of other site users. The vulnerability has a CVSS score of 5.9 (Medium), requiring high privileges and user interaction, with no evidence of active exploitation in the wild or public proof-of-concept code.
Technical ContextAI
The vulnerability stems from improper neutralization of user input during web page generation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). WP Rocket (CPE: cpe:2.3:a:wp_media:wp_rocket:*:*:*:*:*:*:*:*) is a WordPress plugin that caches and optimizes website performance. The root cause is inadequate input validation and output encoding in plugin functionality that processes user-supplied data without sufficient sanitization before rendering it in HTML context. This allows attackers to inject JavaScript code that persists in the WordPress database and executes whenever affected pages are viewed, representing a classic Stored XSS attack vector exploiting the gap between input acceptance and safe output handling.
RemediationAI
Upgrade WP Rocket to version 3.19.5 or later, which patches the input sanitization vulnerability. Site administrators should immediately update the plugin through the WordPress dashboard (Plugins > Installed Plugins > WP Rocket > Update if available) or manually download the patched version from the WP Media website. Until an update can be applied, restrict administrative access to trusted users only, audit existing administrator accounts for unauthorized activity, and implement WordPress security monitoring to detect unusual post or page modifications. Consider using Web Application Firewall (WAF) rules configured to detect and block XSS payloads in POST requests to the WordPress admin interface, though this is a temporary measure pending the official patch. Detailed patch information and vendor advisory are available at https://patchstack.com/database/wordpress/plugin/wp-rocket/vulnerability/wordpress-wp-rocket-plugin-3-19-4-cross-site-scripting-xss-vulnerability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13047