CVE-2025-6213 is a high-severity remote code execution (RCE) vulnerability affecting the Nginx Cache Purge Preload plugin for WordPress, developed by psauxit. This vulnerability exists in all versions up to and including 2.1.1. The root cause is improper sanitization of the $_SERVER['HTTP_REFERERER'] parameter within the 'nppp_handle_fastcgi_cache_actions_admin_bar' function, which is subsequently used by the 'nppp_preload_cache_on_update' function. Because the HTTP_REFERERER header is not properly validated or sanitized, an authenticated attacker with Administrator-level privileges or higher can inject malicious code that gets executed on the server. This vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating that user-controllable input is used to generate code without sufficient validation, leading to code injection. The CVSS v3.1 base score is 7.2, reflecting a high severity with network attack vector, low attack complexity, high privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. Although exploitation requires administrative access, the impact is critical because it allows full control over the server hosting the WordPress site, potentially leading to data theft, site defacement, malware deployment, or pivoting to internal networks. No known public exploits have been reported yet, and no patches are currently linked, indicating that mitigation may require manual intervention or vendor updates once available. The vulnerability specifically targets WordPress sites using the Nginx Cache Purge Preload plugin, which is designed to manage cache purging efficiently in Nginx environments integrated with WordPress. Given the widespread use of WordPress and Nginx in web hosting, this vulnerability poses a significant risk to affected sites, especially those with multiple administrators or where credential compromise is possible.

For European organizations, this vulnerability presents a significant risk to web infrastructure relying on WordPress with the Nginx Cache Purge Preload plugin. Successful exploitation can lead to full server compromise, resulting in unauthorized access to sensitive data, disruption of web services, and potential lateral movement within corporate networks. This can affect confidentiality by exposing customer and business data, integrity by allowing attackers to modify website content or backend data, and availability by causing denial of service or site defacement. Given the high adoption of WordPress in Europe for corporate, governmental, and e-commerce websites, the impact can extend to reputational damage, regulatory non-compliance (e.g., GDPR violations due to data breaches), and financial losses. The requirement for administrator-level access limits exploitation to insiders or attackers who have already compromised credentials, but this does not diminish the severity as credential theft is common. Moreover, the lack of patches at the time of disclosure increases the window of exposure. Organizations with complex web environments or those using automated cache management with Nginx are particularly vulnerable. The threat also extends to managed service providers hosting multiple client sites, amplifying potential impact.

1. Immediate mitigation involves restricting administrator access to trusted personnel only and enforcing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2. Monitor and audit administrator activities and HTTP headers for suspicious or malformed HTTP_REFERERER values that could indicate exploitation attempts. 3. Disable or remove the Nginx Cache Purge Preload plugin if it is not essential, or replace it with alternative cache management solutions that do not exhibit this vulnerability. 4. Apply strict input validation and sanitization on all HTTP headers at the web server or application firewall level to block malicious payloads targeting the HTTP_REFERERER parameter. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block code injection patterns related to this vulnerability. 6. Keep WordPress core, plugins, and Nginx server software up to date, and monitor vendor advisories for patches addressing CVE-2025-6213. 7. Conduct regular security assessments and penetration testing focusing on administrative interfaces and cache management functionalities. 8. Implement network segmentation to limit the impact of a compromised web server and restrict lateral movement within the internal network. 9. Backup website data and configurations regularly to enable rapid recovery in case of compromise.