CVE-2025-6213 is a remote code execution (RCE) vulnerability classified under CWE-94 (Improper Control of Generation of Code) found in the Nginx Cache Purge Preload plugin for WordPress, maintained by psauxit. The vulnerability exists in all versions up to and including 2.1.1, specifically within the 'nppp_preload_cache_on_update' function. The root cause is insufficient sanitization of the $_SERVER['HTTP_REFERERER'] parameter, which is passed from the 'nppp_handle_fastcgi_cache_actions_admin_bar' function. An attacker with authenticated administrator-level privileges can exploit this flaw by crafting malicious HTTP_REFERERER headers, enabling arbitrary code execution on the underlying web server. The CVSS v3.1 base score is 7.2, reflecting high severity due to network attack vector, low attack complexity, high privileges required, and no user interaction needed. The vulnerability affects the confidentiality, integrity, and availability of the server and hosted applications. Although no public exploits are currently known, the potential impact is significant given the level of access and control gained. The plugin is widely used in WordPress environments that leverage Nginx caching mechanisms, making this a critical concern for web administrators. No official patches have been released at the time of this report, emphasizing the need for immediate mitigation strategies.

Successful exploitation of CVE-2025-6213 allows an authenticated administrator to execute arbitrary code on the web server hosting the WordPress site. This can lead to full system compromise, including unauthorized data access, data modification, deployment of malware or ransomware, and disruption of service. The vulnerability threatens the confidentiality of sensitive information stored or processed by the website, the integrity of website content and server configurations, and the availability of the web service. Given the privileged access required, the attack surface is limited to insiders or compromised administrator accounts, but the consequences of exploitation are severe. Organizations relying on this plugin for caching performance may face downtime, reputational damage, and regulatory compliance issues if exploited. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for remediation.

1. Immediately restrict administrator-level access to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2. Monitor and log HTTP headers, especially HTTP_REFERERER, for suspicious or anomalous values that could indicate exploitation attempts. 3. Implement web application firewall (WAF) rules to sanitize or block malicious HTTP_REFERERER inputs targeting the vulnerable functions. 4. Disable or uninstall the Nginx Cache Purge Preload plugin if feasible until a patched version is released. 5. Regularly audit WordPress plugins and update them promptly once the vendor releases a security patch addressing this vulnerability. 6. Employ least privilege principles for administrator accounts and consider segmentation of administrative functions to limit potential damage. 7. Conduct penetration testing and vulnerability scanning focused on this plugin to identify any exploitation attempts or residual risks. 8. Stay informed through official vendor channels and security advisories for updates or patches.