Platform
wordpress
Component
content-no-cache
Opgelost in
0.1.5
CVE-2025-28993 describes a Code Injection vulnerability discovered in Content No Cache, a WordPress plugin. This flaw allows attackers to inject malicious code, potentially leading to unauthorized access and control over the affected WordPress site. The vulnerability impacts versions 0.0.0 through 0.1.4, and a fix is available in version 0.1.4.
The Code Injection vulnerability in Content No Cache presents a significant risk to WordPress websites utilizing the plugin. An attacker could leverage this flaw to inject arbitrary code, such as PHP, directly into the server-side environment. This could lead to a complete compromise of the website, allowing the attacker to steal sensitive data (user credentials, database information), modify website content, or even gain control of the underlying server. The potential blast radius extends beyond the website itself, potentially impacting any connected systems or databases. Successful exploitation could mirror the impact of other code injection vulnerabilities where attackers gain remote code execution.
CVE-2025-28993 was publicly disclosed on 2025-06-27. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not yet available, but the nature of the vulnerability suggests that it is likely to be exploited once a POC is released.
WordPress websites utilizing the Content No Cache plugin, particularly those running older, unpatched versions (0.0.0–0.1.4), are at significant risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially impact others.
• wordpress / composer / npm:
grep -r "<?php" /var/www/html/wp-content/plugins/content-no-cache/• wordpress / composer / npm:
wp plugin list | grep content-no-cache• wordpress / composer / npm:
wp plugin update content-no-cachedisclosure
Exploit Status
EPSS
0.07% (21% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-28993 is to immediately upgrade Content No Cache to version 0.1.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to filter potentially malicious code injection attempts can provide an additional layer of defense. Regularly review WordPress plugin security updates and consider using a security scanner plugin to proactively identify vulnerabilities.
Actualice el plugin Content No Cache a la última versión disponible para mitigar la vulnerabilidad de inyección de código. Verifique la página del plugin en WordPress.org para obtener la versión más reciente y las instrucciones de actualización. Realice una copia de seguridad completa de su sitio web antes de realizar cualquier actualización.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-28993 is a Code Injection vulnerability affecting Content No Cache WordPress plugin versions 0.0.0–0.1.4, allowing attackers to inject malicious code.
If you are using Content No Cache version 0.0.0 through 0.1.4, you are affected by this vulnerability.
Upgrade Content No Cache to version 0.1.4 or later to remediate the vulnerability. Consider disabling the plugin if immediate upgrade is not possible.
There is currently no indication of active exploitation, but the vulnerability is likely to be exploited once a proof-of-concept is released.
Refer to the official Content No Cache project repository or website for the latest security advisories and updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.