Platform
wordpress
Component
content-no-cache
Fixed in
0.1.5
CVE-2025-28993 describes a Code Injection vulnerability discovered in Content No Cache, a WordPress plugin. This flaw allows attackers to inject malicious code, potentially leading to unauthorized access and control over the affected WordPress site. The vulnerability impacts versions 0.0.0 through 0.1.4, and a fix is available in version 0.1.4.
The Code Injection vulnerability in Content No Cache presents a significant risk to WordPress websites utilizing the plugin. An attacker could leverage this flaw to inject arbitrary code, such as PHP, directly into the server-side environment. This could lead to a complete compromise of the website, allowing the attacker to steal sensitive data (user credentials, database information), modify website content, or even gain control of the underlying server. The potential blast radius extends beyond the website itself, potentially impacting any connected systems or databases. Successful exploitation could mirror the impact of other code injection vulnerabilities where attackers gain remote code execution.
CVE-2025-28993 was publicly disclosed on 2025-06-27. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not yet available, but the nature of the vulnerability suggests that it is likely to be exploited once a POC is released.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-28993 is to immediately upgrade Content No Cache to version 0.1.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to filter potentially malicious code injection attempts can provide an additional layer of defense. Regularly review WordPress plugin security updates and consider using a security scanner plugin to proactively identify vulnerabilities.
Update the Content No Cache plugin to the latest available version to mitigate the code injection vulnerability. Check the plugin page on WordPress.org for the latest version and update instructions. Perform a full backup of your website before performing any updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-28993 is a Code Injection vulnerability affecting Content No Cache WordPress plugin versions 0.0.0–0.1.4, allowing attackers to inject malicious code.
If you are using Content No Cache version 0.0.0 through 0.1.4, you are affected by this vulnerability.
Upgrade Content No Cache to version 0.1.4 or later to remediate the vulnerability. Consider disabling the plugin if immediate upgrade is not possible.
There is currently no indication of active exploitation, but the vulnerability is likely to be exploited once a proof-of-concept is released.
Refer to the official Content No Cache project repository or website for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.