Vulnerability Description
The Nginx Cache Purge Preload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.1 via the 'nppp_preload_cache_on_update' function. This is due to insufficient sanitization of the $_SERVER['HTTP_REFERERER'] parameter passed from the 'nppp_handle_fastcgi_cache_actions_admin_bar' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/psaux-it/nginx-fastcgi-cache-purge-and-preload
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old
- https://wordpress.org/plugins/fastcgi-cache-purge-and-preload-nginx/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bbe8c101-5e0a-4ba7-8ff
FAQ
What is CVE-2025-6213?
CVE-2025-6213 is a vulnerability with a CVSS score of 7.2 (HIGH). The Nginx Cache Purge Preload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.1 via the 'nppp_preload_cache_on_update' function. This is due to in...
How severe is CVE-2025-6213?
CVE-2025-6213 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-6213?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.