CVE-2026-28044 in WP Rocket Plugin
Summary
by MITRE • 03/19/2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Media WP Rocket allows Stored XSS.This issue affects WP Rocket: from n/a through 3.19.4.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/19/2026
This vulnerability represents a critical cross-site scripting weakness that specifically targets the WP Media WP Rocket plugin, a widely used caching solution for wordpress environments. The flaw occurs during the web page generation process where user input is not properly sanitized or escaped before being rendered back to users. This stored XSS vulnerability allows attackers to inject malicious scripts that persist in the application's database and execute whenever affected pages are loaded. The vulnerability affects versions of WP Rocket from an unspecified starting point through version 3.19.4, indicating a significant attack surface that spans multiple releases and potentially affects thousands of wordpress installations.
The technical implementation of this vulnerability stems from inadequate input validation and output escaping mechanisms within the plugin's content handling routines. When administrators or users submit content through forms or administrative interfaces that are subsequently processed and stored by WP Rocket, the plugin fails to properly neutralize potentially malicious input before it gets embedded into generated web pages. This creates a persistent threat where malicious scripts can execute in the context of any user who views the affected content, making it particularly dangerous for high-privilege accounts that may have access to sensitive administrative functions. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications.
From an operational impact perspective, this vulnerability enables attackers to perform a range of malicious activities including but not limited to session hijacking, credential theft, and data exfiltration from authenticated users. Attackers can leverage the stored nature of this XSS to inject persistent malicious code that can redirect users to phishing sites, steal cookies, or even execute arbitrary commands on vulnerable systems. The attack vector typically involves an authenticated user with sufficient privileges to submit content that gets processed by WP Rocket, making it particularly concerning for administrative accounts. The vulnerability also creates opportunities for attackers to escalate privileges or establish persistent backdoors within compromised wordpress environments.
Mitigation strategies for this vulnerability should begin with immediate patching of affected WP Rocket installations to versions beyond 3.19.4 where the XSS flaw has been addressed. Organizations should implement comprehensive input validation and output escaping mechanisms across all user-submitted content processing pathways within their wordpress environments. Network monitoring solutions should be configured to detect suspicious script injection patterns and anomalous user behavior that might indicate exploitation attempts. Additionally, implementing content security policies can provide an additional layer of defense by restricting script execution and preventing unauthorized code injection. The vulnerability also highlights the importance of regular security auditing and penetration testing of wordpress plugins to identify and remediate similar weaknesses before they can be exploited by threat actors. Organizations should also consider implementing web application firewalls to detect and block malicious input patterns targeting known XSS vulnerabilities.