{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6213", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-17T19:03:21.568Z", "datePublished": "2025-07-22T09:22:44.147Z", "dateUpdated": "2026-04-08T17:18:37.182Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:37.182Z"}, "affected": [{"vendor": "psauxit", "product": "Nginx Cache Purge Preload", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Nginx Cache Purge Preload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.1 via the 'nppp_preload_cache_on_update' function. This is due to insufficient sanitization of the $_SERVER['HTTP_REFERERER'] parameter passed from the 'nppp_handle_fastcgi_cache_actions_admin_bar' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server."}], "title": "Nginx Cache Purge Preload <= 2.1.1 - Authenticated (Administrator+) Remote Code Execution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bbe8c101-5e0a-4ba7-8ff7-4c8ed01e9ef5?source=cve"}, {"url": "https://wordpress.org/plugins/fastcgi-cache-purge-and-preload-nginx/"}, {"url": "https://github.com/psaux-it/nginx-fastcgi-cache-purge-and-preload"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3332176%40fastcgi-cache-purge-and-preload-nginx&new=3332176%40fastcgi-cache-purge-and-preload-nginx&sfp_email=&sfph_mail=#file15"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "cynau1t"}], "timeline": [{"time": "2025-07-21T20:50:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-22T20:03:21.126018Z", "id": "CVE-2025-6213", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-22T20:03:28.839Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6213", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-22T20:03:21.126018Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-22T20:03:25.119Z"}}], "cna": {"title": "Nginx Cache Purge Preload <= 2.1.1 - Authenticated (Administrator+) Remote Code Execution", "credits": [{"lang": "en", "type": "finder", "value": "cynau1t"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "psauxit", "product": "Nginx Cache Purge Preload", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-21T20:50:46.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bbe8c101-5e0a-4ba7-8ff7-4c8ed01e9ef5?source=cve"}, {"url": "https://wordpress.org/plugins/fastcgi-cache-purge-and-preload-nginx/"}, {"url": "https://github.com/psaux-it/nginx-fastcgi-cache-purge-and-preload"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3332176%40fastcgi-cache-purge-and-preload-nginx&new=3332176%40fastcgi-cache-purge-and-preload-nginx&sfp_email=&sfph_mail=#file15"}], "descriptions": [{"lang": "en", "value": "The Nginx Cache Purge Preload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.1 via the 'nppp_preload_cache_on_update' function. This is due to insufficient sanitization of the $_SERVER['HTTP_REFERERER'] parameter passed from the 'nppp_handle_fastcgi_cache_actions_admin_bar' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:37.182Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6213", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:18:37.182Z", "dateReserved": "2025-06-17T19:03:21.568Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-22T09:22:44.147Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Nginx Cache Purge Preload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.1 via the 'nppp_preload_cache_on_update' function. This is due to insufficient sanitization of the $_SERVER['HTTP_REFERERER'] parameter passed from the 'nppp_handle_fastcgi_cache_actions_admin_bar' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server."}, {"lang": "es", "value": "El complemento Nginx Cache Purge Preload para WordPress es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo en todas las versiones hasta la 2.1.1 incluida, a trav\u00e9s de la funci\u00f3n 'nppp_preload_cache_on_update'. Esto se debe a una depuraci\u00f3n insuficiente del par\u00e1metro $_SERVER['HTTP_REFERER'] transferido desde la funci\u00f3n 'nppp_handle_fastcgi_cache_actions_admin_bar'. Esto permite que atacantes autenticados, con acceso de administrador o superior, ejecuten c\u00f3digo en el servidor."}], "id": "CVE-2025-6213", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-22T10:15:25.763", "references": [{"source": "security@wordfence.com", "url": "https://github.com/psaux-it/nginx-fastcgi-cache-purge-and-preload"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3332176%40fastcgi-cache-purge-and-preload-nginx&new=3332176%40fastcgi-cache-purge-and-preload-nginx&sfp_email=&sfph_mail=#file15"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/fastcgi-cache-purge-and-preload-nginx/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bbe8c101-5e0a-4ba7-8ff7-4c8ed01e9ef5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T20:12:47.531749+00:00", "value": {"mitigation_remediation": ["Update the Nginx Cache Purge Preload plugin to the latest available version (or uninstall if no upgrade exists).", "If upgrading is not immediately possible, disable the plugin\u2019s admin\u2011bar functionality or remove the plugin entirely to eliminate the code execution path.", "Configure the web server or application to whitelist allowable HTTP_REFERERER values and reject or neutralize unexpected content to mitigate future injection attempts."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Nginx Cache Purge Preload plugin version 2.1.1 or earlier. Security teams should inventory any installation of this plugin and check the version number against the known vulnerable releases.", "description_and_impact": "The WordPress Nginx Cache Purge Preload plugin, versions 2.1.1 and earlier, contains a code injection flaw (CWE-94). Unsanitized HTTP_REFERERER values passed through the admin bar handler allow an attacker who can authenticate as an Administrator or higher to supply arbitrary code that is then executed on the webserver. This flaw leads to full server compromise, giving attackers arbitrary command execution and data exfiltration capabilities.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a serious severity, while the EPSS score of less than 1% suggests the likelihood of exploitation is low at present. The vulnerability is not listed in the CISA KEV catalog, but because it requires only an authenticated Administrator account, the scope of potential damage remains high. The likely attack vector is a web request originating from a legitimate administrator session that supplies a crafted HTTP_REFERERER header through the WordPress admin interface. Once executed, the injected code runs with the same privileges as the web server, enabling persistent compromise."}}}}, "created": "2025-07-23T17:36:06.091002+00:00", "updated": "2026-04-20T20:15:06.222787+00:00", "vendors": ["psauxit", "psauxit$PRODUCT$nginx_cache_purge_preload", "wordpress", "wordpress$PRODUCT$wordpress"]}