Plattform
wordpress
Komponente
cloudflare-cache-purge
Behoben in
1.2.1
CVE-2025-22332 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the shanaver CloudFlare Cache Purge plugin for WordPress. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability affects versions from 0.0.0 through 1.2, and a patch is available in version 1.2.1.
Successful exploitation of CVE-2025-22332 allows an attacker to inject arbitrary JavaScript code into web pages viewed by other users. This can be leveraged to steal session cookies, redirect users to malicious websites, or modify the content of the page. The impact is particularly severe in environments where the plugin is used to manage cached content, as an attacker could potentially inject malicious scripts into cached pages, affecting a wider range of users. The blast radius extends to any user accessing a page containing the injected script, potentially compromising their accounts and data.
CVE-2025-22332 was publicly disclosed on 2025-01-31. No public proof-of-concept (PoC) code has been identified at the time of writing. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
WordPress websites utilizing the shanaver CloudFlare Cache Purge plugin, particularly those running older, unpatched versions (0.0.0–1.2), are at risk. Shared hosting environments where plugin updates are managed centrally may also be vulnerable if they haven't applied the patch.
• wordpress / composer / npm:
grep -r 'shanaver CloudFlare Cache Purge' /wp-content/plugins/
wp plugin list | grep 'cloudflare-cache-purge'• generic web:
curl -I 'https://example.com/?param=<script>alert(1)</script>' | grep 'Content-Security-Policy'disclosure
Exploit-Status
EPSS
0.08% (23% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-22332 is to immediately upgrade the CloudFlare Cache Purge plugin to version 1.2.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on user-supplied data within the plugin. Web Application Firewalls (WAFs) can be configured to filter out potentially malicious requests containing XSS payloads. After upgrading, verify the fix by attempting to inject a simple JavaScript payload through the plugin's input fields and confirming that the script is not executed.
Actualice el plugin CloudFlare(R) Cache Purge a la última versión disponible para mitigar la vulnerabilidad de XSS. Verifique la página del plugin en WordPress.org para obtener la versión más reciente y las instrucciones de actualización. Además, revise y sanee cualquier entrada de usuario que se utilice para generar contenido web.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-22332 is a Reflected XSS vulnerability in the CloudFlare Cache Purge plugin for WordPress, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using CloudFlare Cache Purge versions 0.0.0 through 1.2. Check your plugin version and upgrade immediately if necessary.
Upgrade the CloudFlare Cache Purge plugin to version 1.2.1 or later. Consider implementing input validation and output encoding as an additional precaution.
No active exploitation campaigns have been confirmed, but the vulnerability is publicly known and could be exploited.
Refer to the plugin's official repository or the shanaver developer's website for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.