The Cache Purger
Monthly
Authorization bypass in The Cache Purger WordPress plugin (all versions through 2.3.20) allows any subscriber-level authenticated user to permanently destroy the plugin's entire cache-purge audit log (wp-content/purge.log). The root cause is that the tcp_log_purge nonce - the only credential required to trigger log deletion - is rendered in the WordPress admin bar on frontend pages visible to all authenticated users, including the lowest-privilege subscribers, making the authorization check trivially bypassable. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Authorization bypass in The Cache Purger WordPress plugin (all versions through 2.3.20) allows any subscriber-level authenticated user to permanently destroy the plugin's entire cache-purge audit log (wp-content/purge.log). The root cause is that the tcp_log_purge nonce - the only credential required to trigger log deletion - is rendered in the WordPress admin bar on frontend pages visible to all authenticated users, including the lowest-privilege subscribers, making the authorization check trivially bypassable. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.