A security firm, Wordfence, has flagged a high-severitystored cross-site scripting (XSS) flaw in the Super Page Cache plugin from Optimole. Dubbed CVE-2026-1843, the bug affects all versions up to and including 5.2.2.
At its core, this vulnerability lets unauthenticated attackers inject malicious web scripts into the Activity Log. Those scripts then persist in the database and fire off whenever any user, admin, visitor, or otherwise loads an affected page.
No privileges required; no user tricks needed. Attackvector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A: N. Scope changes to Changed, meaning the impact can extend beyond the vulnerable component, potentially affecting related pages or resources managed by the cache.
WordPress powers over 40% of the web, and caching plugins like Super Page Cache are staples for performance boosts. They generate static HTML snapshots of dynamic pages and serve them lightning-fast to reduce server load.
But here, the Activity Log a feature tracking cache events becomes the weak link. Attackers craft payloads that sneak past validation, get stored, and are rendered unescaped on front-end pages. When a visitor hits one, boom: arbitrary JavaScript executes in their browser context.
The payload could snag session cookies, hijack admin logins, or drop secondary exploits, such as keyloggers. Since it’s stored XSS tied to a cache mechanism, the reach amplifies, with scripts propagating via cached pages viewed by thousands.
Multisite installs? Extra dicey, as one compromised log could taint shared resources. No known exploits in the wild yet, per Wordfence’s threat intel, but the low barrier (PR: N) screams “watch list.”
Identified via fuzzing and code review, traced to CWE-79 flaws in log handling. Optimole pushed a fix in version 5.2.3, detailed in the plugin’s WordPress Trac changeset 3454474.
Sites on vulnerable releases need immediate attention, especially high-traffic ones with public activity logs enabled.
| Aspect | Details |
|---|---|
| CVE ID | CVE-2026-1843 |
| Severity | High (CVSS 7.2) |
| Affected Product | Super Page Cache (Optimole) |
| Versions | ≤ 5.2.2 |
| CWE | CWE-79 (XSS) |
| Attack Vector | Low Confidentiality (C:L), Low Integrity (I:L), None Availability (A: N) |
| Impact | Low Confidentiality (C:L), Low Integrity (I:L), None Availability (A : N) |
| Patch | Upgrade to 5.2.3+ |
Mitigation Process of Bug
Detection isn’t rocket science, but it demands vigilance. Hunt for rogue inline <script> tags in Activity Log entries or page source. Browser dev tools might flag CSP violations or XSS errors on cached pages.
Server logs could show odd spikes in plugin-related entries or anomalous outbound fetches from front-end JS.
For mitigation, prioritize patching: grab 5.2.3 from the WordPress plugin repository and test it in staging first. No quick fix? Turn off the plugin entirely or whip up a WAF rule stripping script tags from log input,s something like ModSecurity’s SecRule targeting <script> in POSTs to log endpoints.
Layer on a tight Content Security Policy (CSP) banning inline scripts: script-src 'self';. Monitor user reports for redirects, pop-ups, and other issues on affected sites.
Security teams should slot this into urgent queues. CVSS 7.2 isn’t panic mode like a remote code exec, but unauth stored XSS in a cache plugin is no joke.
No EPSS or KEV signals yet, so it’s not “drop everything,” but broad WordPress adoption means swift remediation curbs real-world blast radius. Optimole’s response time looks solid; now it’s on site owners to act.
As caching plugins evolve, this underscores a timeless lesson: Logs aren’t just data dumps,, hy’re attack surfaces. Sanitize ruthlessly, escape outputs, and audit third-party code. WordPress admins, check your plugins tab today.
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
.webp "Cal.com’s Access Control Mess: How It Let Attackers Hijack Accounts and Dump Millions of Bookings")
