Skip to main content

The Cache Purger

1 CVEs product

Monthly

CVE-2026-15350 MEDIUM This Month

Authorization bypass in The Cache Purger WordPress plugin (all versions through 2.3.20) allows any subscriber-level authenticated user to permanently destroy the plugin's entire cache-purge audit log (wp-content/purge.log). The root cause is that the tcp_log_purge nonce - the only credential required to trigger log deletion - is rendered in the WordPress admin bar on frontend pages visible to all authenticated users, including the lowest-privilege subscribers, making the authorization check trivially bypassable. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress The Cache Purger
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in The Cache Purger WordPress plugin (all versions through 2.3.20) allows any subscriber-level authenticated user to permanently destroy the plugin's entire cache-purge audit log (wp-content/purge.log). The root cause is that the tcp_log_purge nonce - the only credential required to trigger log deletion - is rendered in the WordPress admin bar on frontend pages visible to all authenticated users, including the lowest-privilege subscribers, making the authorization check trivially bypassable. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress The Cache Purger
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy