CVE-2026-28044

Vulnerability

Overview

CVE-2026-28044 is a stored cross-site scripting (XSS) vulnerability in the WP Rocket plugin for WordPress, affecting versions from n/a through 3.19.4. The issue stems from improper neutralization of user input during web page generation, allowing attackers to inject arbitrary HTML and JavaScript into the application's database. When the injected content is later rendered on a page, the malicious script executes in the context of a victim's browser [1].

Attack

Vector and Requirements

Exploitation requires a user with at least Contributor-level privileges (or equivalent role) to submit the malicious payload via a form or other input mechanism. The attack is considered low-complexity but necessitates user interaction—a privileged user must perform an action such as clicking a crafted link or visiting a specially prepared page. Once stored, the payload triggers automatically when other users (including site visitors) access the affected page [1].

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the browser of any user viewing the compromised page. This can be used to redirect visitors to malicious sites, display unauthorized advertisements, steal session cookies, or deface the website. Although the vendor rates the severity as low, the CVSS v3 base score of 5.9 reflects a medium-severity risk due to the potential for widespread impact on sites using the plugin [1].

Mitigation

The vulnerability has been addressed in WP Rocket version 3.20.0.2 and later. Users are strongly advised to update immediately. For those unable to update, consider restricting role permissions for input submission or implementing a web application firewall (WAF) to filter malicious payloads. The Patchstack platform offers auto-update features for vulnerable plugins [1].