平台
wordpress
组件
wp-rest-cache
修复版本
2026.1.1
CVE-2026-25347 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in the WP REST Cache plugin for WordPress. This flaw allows attackers to inject malicious JavaScript code that executes in the context of other users' browsers, potentially leading to account takeover or data theft. The vulnerability affects versions from 0.0 up to and including 2026.1.0, and a patch is available in version 2026.1.1.
The impact of this XSS vulnerability is significant. An attacker could inject malicious scripts into the WP REST Cache plugin's data storage, which would then be served to other users visiting pages utilizing the plugin. This could allow an attacker to steal session cookies, redirect users to phishing sites, deface the website, or even execute arbitrary code on the user's browser. The scope of the impact depends on the plugin's usage and the permissions of affected users; administrators are at the highest risk. Successful exploitation could lead to complete compromise of a WordPress site and its associated data.
CVE-2026-25347 was publicly disclosed on 2026-03-25. There are currently no known public exploits or active campaigns targeting this vulnerability, but the ease of XSS exploitation means it is likely to become a target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is anticipated given the nature of the vulnerability.
Websites using the WP REST Cache plugin, particularly those with user-generated content or features that allow users to input data that is stored and displayed by the plugin, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "<script>" /var/www/html/wp-content/plugins/wp-rest-cache/• wordpress / composer / npm:
wp plugin list --status=inactive | grep wp-rest-cache• wordpress / composer / npm:
wp plugin update wp-rest-cache --all• generic web: Inspect website source code for suspicious JavaScript code injected into pages served by the WP REST Cache plugin.
disclosure
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-25347 is to immediately upgrade the WP REST Cache plugin to version 2026.1.1 or later. If upgrading is not immediately feasible, consider implementing input validation on all user-supplied data processed by the plugin to prevent malicious script injection. A Web Application Firewall (WAF) configured to block XSS payloads targeting the plugin's endpoints can provide an additional layer of defense. Reviewing and sanitizing existing plugin data for any injected scripts is also recommended.
Update to version 2026.1.1, or a newer patched version
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-25347 is a stored XSS vulnerability in the WP REST Cache plugin for WordPress, allowing attackers to inject malicious scripts. It affects versions 0.0 through 2026.1.0.
You are affected if you are using the WP REST Cache plugin in versions 0.0 to 2026.1.0. Check your plugin version and update immediately if vulnerable.
Upgrade the WP REST Cache plugin to version 2026.1.1 or later. Consider input validation and WAF rules as interim mitigations.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature makes it a likely target.
Refer to the WP REST Cache plugin's official website or WordPress.org plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。