CVE-2026-28044
Received Received - Intake

Stored XSS in WP Rocket Plugin Allows Persistent Script Injection

Vulnerability report for CVE-2026-28044, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-19

Last updated on: 2026-04-28

Assigner: Patchstack

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Media WP Rocket allows Stored XSS.This issue affects WP Rocket: from n/a through 3.19.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-19
Last Modified
2026-04-28
Generated
2026-07-06
AI Q&A
2026-03-19
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
wp_media wp_rocket From 3.0.0 (inc) to 3.19.4 (inc)
wp_media wp_rocket 3.20.0.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-28044 is a Cross Site Scripting (XSS) vulnerability in the WordPress WP Rocket Plugin versions up to and including 3.19.4.

This vulnerability allows an attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, into a website. These scripts execute when visitors access the site.

Exploitation requires a privileged user, like an author or developer, to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary for the attack to succeed.

Impact Analysis

[{'type': 'paragraph', 'content': 'The vulnerability can lead to the execution of malicious scripts on your website, which may cause unwanted redirects, display of unauthorized advertisements, or other harmful HTML content.'}, {'type': 'paragraph', 'content': "This can compromise the integrity and trustworthiness of your website, potentially harming your users' experience and exposing them to further attacks."}, {'type': 'paragraph', 'content': 'However, exploitation requires privileged user interaction, which limits the ease of attack, and no impactful threat has been reported so far.'}, {'type': 'paragraph', 'content': 'Updating the WP Rocket Plugin to version 3.20.0.2 or later is strongly advised to mitigate this risk.'}] [1]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the CVE-2026-28044 vulnerability in the WP Rocket plugin, users should update the plugin to version 3.20.0.2 or later, where the issue is patched.

Additionally, using automated update tools like those offered by Patchstack can help rapidly protect vulnerable installations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28044. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart