2025-07-22 09:22:44
Wordfence
PUBLISHED
The Nginx Cache Purge Preload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.1 via the nppp_preload_cache_on_update function. This is due to insufficient sanitization of the $_SERVER[HTTP_REFERERER] parameter passed from the nppp_handle_fastcgi_cache_actions_admin_bar function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.