Plateforme
wordpress
Composant
cloudflare-cache-purge
Corrigé dans
1.2.1
CVE-2025-22332 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the shanaver CloudFlare Cache Purge plugin for WordPress. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability affects versions from 0.0.0 through 1.2, and a patch is available in version 1.2.1.
An attacker can exploit this Reflected XSS vulnerability by crafting a malicious URL containing JavaScript code. When a user clicks on this URL, the injected script executes in their browser within the context of the CloudFlare Cache Purge plugin. This allows the attacker to steal cookies, redirect the user to a phishing site, or modify the content of the page. The potential impact is significant, as successful exploitation could compromise user accounts and expose sensitive data. The attack surface is broad, as any user visiting the crafted URL is at risk.
CVE-2025-22332 was publicly disclosed on 2025-01-31. While no active exploitation campaigns have been confirmed, the availability of a public CVE and the relatively simple nature of Reflected XSS vulnerabilities suggest a potential for exploitation. No KEV listing exists as of this writing. Public proof-of-concept code is likely to emerge, increasing the risk.
WordPress websites utilizing the shanaver CloudFlare Cache Purge plugin, particularly those running older, unpatched versions (0.0.0–1.2), are at risk. Shared hosting environments where plugin updates are managed centrally may also be vulnerable if they haven't applied the patch.
• wordpress / composer / npm:
grep -r 'shanaver CloudFlare Cache Purge' /wp-content/plugins/
wp plugin list | grep 'cloudflare-cache-purge'• generic web:
curl -I 'https://example.com/?param=<script>alert(1)</script>' | grep 'Content-Security-Policy'disclosure
Statut de l'Exploit
EPSS
0.08% (percentile 23%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-22332 is to immediately upgrade the CloudFlare Cache Purge plugin to version 1.2.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on user-supplied data within the plugin to sanitize potentially malicious input. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. Regularly review WordPress plugin configurations for potential vulnerabilities.
Actualice el plugin CloudFlare(R) Cache Purge a la última versión disponible para mitigar la vulnerabilidad de XSS. Verifique la página del plugin en WordPress.org para obtener la versión más reciente y las instrucciones de actualización. Además, revise y sanee cualquier entrada de usuario que se utilice para generar contenido web.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-22332 is a Reflected XSS vulnerability in the CloudFlare Cache Purge plugin for WordPress, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using CloudFlare Cache Purge versions 0.0.0 through 1.2. Check your plugin version and upgrade immediately if necessary.
Upgrade the CloudFlare Cache Purge plugin to version 1.2.1 or later. Consider implementing input validation and output encoding as an additional precaution.
No active exploitation campaigns have been confirmed, but the vulnerability is publicly known and could be exploited.
Refer to the plugin's official repository or the shanaver developer's website for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.