Platform
wordpress
Component
cloudflare-cache-purge
Fixed in
1.2.1
CVE-2025-22332 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the shanaver CloudFlare Cache Purge plugin for WordPress. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability affects versions from 0.0.0 through 1.2, and a patch is available in version 1.2.1.
An attacker can exploit this Reflected XSS vulnerability by crafting a malicious URL containing JavaScript code. When a user clicks on this URL, the injected script executes in their browser within the context of the CloudFlare Cache Purge plugin. This allows the attacker to steal cookies, redirect the user to a phishing site, or modify the content of the page. The potential impact is significant, as successful exploitation could compromise user accounts and expose sensitive data. The attack surface is broad, as any user visiting the crafted URL is at risk.
CVE-2025-22332 was publicly disclosed on 2025-01-31. While no active exploitation campaigns have been confirmed, the availability of a public CVE and the relatively simple nature of Reflected XSS vulnerabilities suggest a potential for exploitation. No KEV listing exists as of this writing. Public proof-of-concept code is likely to emerge, increasing the risk.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-22332 is to immediately upgrade the CloudFlare Cache Purge plugin to version 1.2.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on user-supplied data within the plugin to sanitize potentially malicious input. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. Regularly review WordPress plugin configurations for potential vulnerabilities.
Update the CloudFlare(R) Cache Purge plugin to the latest available version to mitigate the XSS vulnerability. Check the plugin page on WordPress.org for the latest version and update instructions. Additionally, review and sanitize any user input that is used to generate web content.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-22332 is a Reflected XSS vulnerability in the CloudFlare Cache Purge plugin for WordPress, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using CloudFlare Cache Purge versions 0.0.0 through 1.2. Check your plugin version and upgrade immediately if necessary.
Upgrade the CloudFlare Cache Purge plugin to version 1.2.1 or later. Consider implementing input validation and output encoding as an additional precaution.
No active exploitation campaigns have been confirmed, but the vulnerability is publicly known and could be exploited.
Refer to the plugin's official repository or the shanaver developer's website for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.