CVE-2026-15350
Received Received - Intake

Authorization Bypass in Cache Purger WordPress Plugin

Vulnerability report for CVE-2026-15350, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: Wordfence

Description

The The Cache Purger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.3.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to permanently truncate the plugin's cache-purge audit log (wp-content/purge.log), destroying the entire cache-purge audit history. The tcp_log_purge nonce is rendered in the admin bar on frontend pages accessible to all authenticated users including subscribers, meaning any authenticated user possesses the nonce required to trigger the deletion.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cache_purger cache_purger to 2.3.20 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Cache Purger plugin for WordPress has an authorization bypass flaw in versions up to 2.3.20. It fails to verify user permissions before allowing actions. Authenticated attackers with subscriber-level access or higher can permanently delete the plugin's cache-purge audit log file, erasing all cache-purge history. The vulnerability exists because a required security token (nonce) is exposed in the admin bar on frontend pages accessible to all authenticated users.

Detection Guidance

Check for unauthorized modifications to the purge.log file in wp-content. Inspect WordPress admin bar for the tcp_log_purge nonce on frontend pages accessible to subscribers. Review WordPress user roles with subscriber access or higher for unusual activity.

Impact Analysis

If you use the vulnerable Cache Purger plugin, an attacker could delete your cache-purge audit logs. This would erase records of cache clearing operations, potentially hiding evidence of malicious activity or system maintenance. While it doesn't directly compromise data, it removes forensic data that could be important for security investigations or compliance audits.

Compliance Impact

This vulnerability could impact compliance by removing audit logs that may be required for regulatory purposes. GDPR and HIPAA both emphasize data integrity and audit trails. Deleting cache-purge logs might hinder your ability to demonstrate proper data handling or system maintenance, potentially violating record-keeping requirements in these standards.

Mitigation Strategies

Update the Cache Purger plugin to the latest version beyond 2.3.20. Remove the tcp_log_purge nonce from frontend admin bar. Restrict subscriber-level access to sensitive functions. Monitor purge.log for unauthorized truncation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15350. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart