CVE-2026-25347 identifies a stored Cross-site Scripting (XSS) vulnerability in the Acato WP REST Cache plugin for WordPress. This vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious scripts to be embedded persistently within the content served by the plugin. When a victim accesses the affected page, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, defacement, or redirection to malicious sites. The vulnerability affects all versions up to and including 2026.1.0, with no patch currently indicated. Exploitation does not require authentication, increasing the attack surface, and no user interaction beyond visiting the compromised page is necessary. Although no active exploits have been reported, the nature of stored XSS makes it a critical concern for websites relying on this plugin. The WP REST Cache plugin is used to improve REST API response times by caching, making it a common component in WordPress sites that utilize REST API calls. The vulnerability could be exploited by attackers submitting crafted input that is stored and later rendered unsafely, affecting both site administrators and visitors. The lack of a CVSS score necessitates an expert severity assessment based on impact and exploitability factors.

The stored XSS vulnerability in WP REST Cache can have severe consequences for organizations worldwide. Attackers can inject malicious scripts that execute in the browsers of site visitors and administrators, leading to theft of authentication cookies, session tokens, or other sensitive information. This can result in account takeover, unauthorized actions on behalf of users, defacement, or distribution of malware. The integrity and confidentiality of the affected websites and their users are at risk. Additionally, the availability of the site could be indirectly impacted if attackers use the vulnerability to disrupt services or cause reputational damage. Since the vulnerability requires no authentication and minimal user interaction, it can be exploited at scale, affecting a broad range of WordPress sites using this plugin. Organizations relying on WP REST Cache for performance improvements may face increased risk exposure until the vulnerability is remediated.

To mitigate CVE-2026-25347, organizations should immediately audit their WordPress installations for the presence of the WP REST Cache plugin and identify affected versions. Since no patch is currently listed, administrators should consider temporarily disabling or uninstalling the plugin until a secure update is released. Implementing a Web Application Firewall (WAF) with rules to detect and block typical XSS payloads targeting REST API endpoints can provide interim protection. Additionally, input validation and output encoding should be enforced at the application level if custom modifications are possible. Monitoring logs for suspicious REST API requests and unusual user input patterns can help detect exploitation attempts. Site owners should also educate users and administrators about the risks of XSS and encourage the use of strong authentication and session management practices to limit the impact of potential attacks. Once a patch becomes available, prompt application is critical. Regular security assessments and plugin updates should be part of ongoing maintenance.