CVE-2026-15350 in Cache Purger Plugininfo

Summary

by MITRE • 07/16/2026

The The Cache Purger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.3.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to permanently truncate the plugin's cache-purge audit log (wp-content/purge.log), destroying the entire cache-purge audit history. The tcp_log_purge nonce is rendered in the admin bar on frontend pages accessible to all authenticated users including subscribers, meaning any authenticated user possesses the nonce required to trigger the deletion.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

The Cache Purger plugin for WordPress presents a critical authorization bypass vulnerability that affects all versions up to and including 2.3.20, creating a significant security risk for WordPress installations. This vulnerability stems from improper user authentication verification within the plugin's core functionality, allowing unauthorized actions to be executed by users who should not have such privileges. The flaw specifically targets the plugin's cache-purge audit logging mechanism, where authenticated attackers with subscriber-level access or higher can exploit this weakness to permanently truncate the purge.log file located in the wp-content directory.

The technical implementation of this vulnerability occurs through the improper handling of the tcp_log_purge nonce, which is rendered within the admin bar on frontend pages accessible to all authenticated users regardless of their role permissions. This design flaw directly violates fundamental security principles by exposing administrative functionality to users who should not possess such capabilities. The nonce mechanism, which should serve as a protective barrier against unauthorized actions, becomes ineffective when it is publicly accessible through the frontend interface, eliminating any meaningful access control restrictions.

The operational impact of this vulnerability extends beyond simple data loss, as it fundamentally compromises the integrity and auditability of cache management operations within WordPress installations. When an authenticated attacker successfully truncates the purge.log file, they destroy the complete cache-purge audit history, eliminating crucial forensic evidence that could be used to track system modifications or identify potential security incidents. This destruction of audit trails creates a false sense of security for administrators while simultaneously removing their ability to monitor and investigate cache-related activities.

From a cybersecurity perspective, this vulnerability maps directly to CWE-863, which addresses "Incorrect Authorization" conditions where an attacker can perform actions they should not be permitted to execute. The issue also aligns with ATT&CK technique T1562.001, "Impair Defenses: Disable or Modify Tools," as the vulnerability allows attackers to compromise the system's logging mechanisms and audit capabilities. Organizations using affected versions of the Cache Purger plugin face significant risks including potential data integrity issues, loss of security monitoring capabilities, and increased attack surface due to the removal of critical audit trails.

The mitigation strategy for this vulnerability requires immediate action from WordPress administrators to either upgrade to a patched version of the Cache Purger plugin or implement temporary workarounds that restrict access to administrative functions. Until a proper fix is applied, administrators should consider disabling the affected plugin entirely or implementing additional access controls to prevent subscriber-level users from accessing frontend admin bar functionality that exposes administrative features. The vulnerability demonstrates the critical importance of proper nonce handling and access control implementation in WordPress plugins, as even seemingly minor security oversights can result in significant operational impacts and potential compromise of system integrity.

Responsible

Wordfence

Reservation

07/09/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!