CVE-2026-25347 in WP REST Cache Plugin
Summary
by MITRE • 03/25/2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Acato WP REST Cache wp-rest-cache allows Stored XSS.This issue affects WP REST Cache: from n/a through <= 2026.1.0.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/31/2026
This vulnerability represents a critical cross-site scripting flaw in the Acato WP REST Cache plugin, specifically impacting versions up to and including 2026.1.0. The issue stems from improper input sanitization during web page generation processes, creating a persistent stored XSS attack vector that can compromise user sessions and execute malicious code within the context of affected websites. The vulnerability falls under CWE-79 which categorizes improper neutralization of input during web page generation as a fundamental web application security weakness. This particular flaw allows attackers to inject malicious scripts that persist in the plugin's cache storage, making the attack vector particularly dangerous as it can affect multiple users over time rather than requiring individual exploitation for each visitor.
The technical implementation of this vulnerability occurs when the wp-rest-cache plugin processes user input through its REST API endpoints without adequate sanitization or encoding of potentially malicious content. When legitimate users access cached pages generated from compromised data, their browsers execute the injected scripts, enabling attackers to perform actions such as stealing session cookies, modifying website content, redirecting users to malicious sites, or conducting further attacks against the compromised environment. The stored nature of this vulnerability means that once malicious input is processed and cached, it remains active until manually removed or the cache is cleared, creating a persistent threat that can affect numerous visitors over extended periods.
From an operational standpoint, this vulnerability poses significant risks to WordPress website administrators and their users. The attack can result in complete session hijacking, data exfiltration, defacement of website content, and potential establishment of backdoors within the affected environment. The impact extends beyond individual user compromise to include potential damage to website reputation, loss of sensitive data, and possible regulatory compliance violations depending on the nature of data processed by the affected website. Organizations relying on the wp-rest-cache plugin for performance optimization face the additional risk that their caching mechanisms become attack vectors rather than security enhancements. This vulnerability aligns with ATT&CK technique T1566.001 which covers phishing with malicious attachments and T1059.007 which involves command and scripting interpreter for JavaScript, demonstrating how the XSS vulnerability can be leveraged for broader attack chains.
The recommended mitigation strategies include immediate patching of the wp-rest-cache plugin to the latest available version that addresses this vulnerability, implementing proper input validation and output encoding mechanisms, and conducting thorough security reviews of all cached content. Administrators should also consider implementing Content Security Policy headers to limit script execution, monitoring for suspicious cache modifications, and establishing regular security audits of plugin installations. Additionally, organizations should implement web application firewalls to detect and block suspicious input patterns and ensure that all user-generated content undergoes strict sanitization before being processed or cached. The vulnerability demonstrates the critical importance of input validation in web applications and the potential consequences when security measures are insufficiently implemented in caching and content generation components.