CVE-2025-6213

Vulnerability

Description The Nginx Cache Purge Preload plugin (NPP) for WordPress, in all versions up to and including 2.1.1, contains a Remote Code Execution vulnerability. The root cause lies in insufficient sanitization of the $_SERVER['HTTP_REFERERER'] server variable passed from the nppp_handle_fastcgi_cache_actions_admin_bar function to the nppp_preload_cache_on_update function. This unsanitized input can be processed by the plugin in a way that leads to arbitrary code execution on the server [1][2].

Exploitation and

Attack Surface To exploit this vulnerability, an attacker must be authenticated with Administrator-level access or higher. No special network position is required beyond being able to send a crafted HTTP request to the WordPress admin interface. The plugin’s reliance on PHP’s shell_exec() function and direct execution of system utilities creates a dangerous attack surface when user-controlled input is not properly filtered [2]. The vulnerable $_SERVER['HTTP_REFERERER'] can be manipulated by an attacker to inject commands that are then executed by the server.

Impact

A successful exploit allows an authenticated administrator to execute arbitrary operating system commands on the underlying server. This could result in full compromise of the WordPress instance, data exfiltration, lateral movement within the hosting environment, or installation of backdoors. Given that the attacker already has administrative access to WordPress, this vulnerability elevates the threat from web-application administrative control to server-level control [1].

Mitigation

Status The vendor has released an updated version of the plugin to address this issue. Users are strongly advised to update to version 2.1.2 or later, which contains the necessary input sanitization fixes. As of the publication date, there is no evidence of this CVE being listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, but administrative credential exposure or weak passwords could make exploitation more likely [1][2].