CVE-2026-28044 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, found in the WP Rocket plugin developed by WP Media. WP Rocket is a popular performance optimization plugin for WordPress websites, widely used to improve page load times and caching. The vulnerability stems from improper neutralization of input during web page generation, which allows an attacker with high privileges (such as an authenticated administrator or editor) to inject malicious scripts that are stored and later executed in the context of other users’ browsers. This stored XSS can lead to unauthorized actions, session hijacking, or defacement. The CVSS v3.1 base score is 5.9, reflecting medium severity, with an attack vector of network (remote), low attack complexity, but requiring privileges and user interaction. The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable module. No patches or exploit code are currently publicly available, and no known exploits in the wild have been reported. The vulnerability affects all versions of WP Rocket up to 3.19.4. Since WP Rocket is a widely deployed plugin on WordPress sites, the vulnerability could impact a large number of websites globally, especially those with multiple users and administrative roles. The flaw highlights the importance of proper input sanitization and output encoding in web applications to prevent script injection attacks.

The impact of CVE-2026-28044 primarily involves the compromise of confidentiality, integrity, and availability of affected WordPress sites using WP Rocket. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of other users, potentially leading to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, and website defacement. This can damage organizational reputation, lead to data breaches, and disrupt normal website operations. Since exploitation requires authenticated access with high privileges and user interaction, the risk is somewhat mitigated but still significant in environments with multiple administrators or editors. E-commerce sites, membership platforms, and corporate websites relying on WP Rocket are particularly vulnerable to business disruption and data leakage. The medium CVSS score reflects a moderate level of risk, but the widespread use of WP Rocket increases the potential attack surface globally.

1. Monitor WP Media’s official channels for patches addressing CVE-2026-28044 and apply updates promptly once available. 2. Restrict administrative and editor privileges to trusted personnel only, minimizing the number of users who can exploit this vulnerability. 3. Implement strict input validation and sanitization on all user inputs, especially those that can be stored and rendered on web pages. 4. Deploy Content Security Policy (CSP) headers to restrict execution of unauthorized scripts and reduce the impact of XSS attacks. 5. Regularly audit user-generated content and plugin configurations to detect and remove any injected malicious scripts. 6. Use web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting WP Rocket. 7. Educate site administrators and users about phishing and social engineering risks that could facilitate exploitation. 8. Consider isolating or sandboxing administrative interfaces to reduce the risk of script execution affecting broader site components.