CVE-2026-28044
Received Received - Intake
Stored XSS in WP Rocket Plugin Allows Persistent Script Injection

Publication date: 2026-03-19

Last updated on: 2026-04-28

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Media WP Rocket allows Stored XSS.This issue affects WP Rocket: from n/a through 3.19.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28044
EUVD
EUVD-2026-13047
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wp_media wp_rocket From 3.0.0 (inc) to 3.19.4 (inc)
wp_media wp_rocket 3.20.0.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28044 is a Cross Site Scripting (XSS) vulnerability in the WordPress WP Rocket Plugin versions up to and including 3.19.4.

This vulnerability allows an attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, into a website. These scripts execute when visitors access the site.

Exploitation requires a privileged user, like an author or developer, to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary for the attack to succeed.

Impact Analysis

[{'type': 'paragraph', 'content': 'The vulnerability can lead to the execution of malicious scripts on your website, which may cause unwanted redirects, display of unauthorized advertisements, or other harmful HTML content.'}, {'type': 'paragraph', 'content': "This can compromise the integrity and trustworthiness of your website, potentially harming your users' experience and exposing them to further attacks."}, {'type': 'paragraph', 'content': 'However, exploitation requires privileged user interaction, which limits the ease of attack, and no impactful threat has been reported so far.'}, {'type': 'paragraph', 'content': 'Updating the WP Rocket Plugin to version 3.20.0.2 or later is strongly advised to mitigate this risk.'}] [1]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the CVE-2026-28044 vulnerability in the WP Rocket plugin, users should update the plugin to version 3.20.0.2 or later, where the issue is patched.

Additionally, using automated update tools like those offered by Patchstack can help rapidly protect vulnerable installations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28044. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart