CVE-2026-15350 Overview
CVE-2026-15350 is an authorization bypass vulnerability in The Cache Purger plugin for WordPress, affecting all versions up to and including 2.3.20. The plugin fails to properly verify that a user is authorized to perform cache-purge audit log operations. Authenticated attackers with subscriber-level access or above can permanently truncate the plugin's cache-purge audit log stored at wp-content/purge.log. The tcp_log_purge nonce is rendered in the admin bar on frontend pages accessible to all authenticated users, meaning any logged-in user possesses the nonce required to trigger the deletion. The flaw is categorized under [CWE-862] Missing Authorization.
Critical Impact
Any authenticated user, including low-privilege subscribers, can destroy the entire cache-purge audit history, eliminating forensic evidence of prior cache operations.
Affected Products
- The Cache Purger plugin for WordPress
- All versions up to and including 2.3.20
- WordPress sites where the plugin is active with open registration or multi-user access
Discovery Timeline
- 2026-07-16 - CVE-2026-15350 published to NVD
- 2026-07-16 - Last updated in NVD database
Technical Details for CVE-2026-15350
Vulnerability Analysis
The Cache Purger plugin exposes a cache-purge audit log deletion action without enforcing a capability check on the requesting user. WordPress plugins typically combine two controls to authorize privileged actions: a nonce (CSRF token) and a capability check such as current_user_can('manage_options'). This plugin implements the nonce but omits the capability check.
Because the tcp_log_purge nonce is emitted into the admin bar for every authenticated session, including subscribers, the nonce provides no meaningful authorization boundary. An attacker who can register or already holds a subscriber account can extract the nonce from any frontend page and submit a request that truncates wp-content/purge.log.
The integrity impact is limited to destruction of audit history. Confidentiality and availability of the WordPress site itself are not directly affected, but loss of the audit log can hinder incident response and forensic investigations following cache manipulation activity.
Root Cause
The root cause is a missing authorization check in the handler for the log-purge action. Review of the plugin source in the WordPress Plugin Code Review confirms the handler validates the nonce but does not verify the user's capability level before deleting the log file. Additional handler logic in kp-cache-purge-common.php similarly relies solely on nonce validation.
Attack Vector
An authenticated attacker with subscriber privileges loads any frontend page rendering the WordPress admin bar. The tcp_log_purge nonce is present in the admin bar markup. The attacker extracts the nonce and issues an authenticated request to the plugin's log-purge endpoint. The plugin validates the nonce, skips capability enforcement, and truncates wp-content/purge.log, destroying the audit history.
The vulnerability mechanism is described in the Wordfence Vulnerability Report. No proof-of-concept code has been publicly released.
Detection Methods for CVE-2026-15350
Indicators of Compromise
- Unexpected truncation or zero-byte state of wp-content/purge.log on WordPress installations running The Cache Purger plugin
- HTTP POST requests from subscriber-level accounts targeting the plugin's admin-ajax or admin-post endpoint containing the tcp_log_purge action parameter
- Gaps in cache-purge audit history that do not correspond to legitimate administrator activity
Detection Strategies
- Monitor file integrity on wp-content/purge.log and alert on unexpected size reduction or truncation events
- Correlate WordPress access logs with authenticated user roles to identify low-privilege accounts invoking cache-purge administrative actions
- Review web server logs for POST requests referencing the tcp_log_purge nonce or action originating from non-administrator sessions
Monitoring Recommendations
- Enable WordPress audit logging via a third-party security plugin to record subscriber and contributor actions independently of the plugin's own log
- Forward WordPress and web server logs to a centralized SIEM or data lake for correlation and long-term retention
- Alert on new subscriber account registrations followed by requests to plugin administrative endpoints within a short time window
How to Mitigate CVE-2026-15350
Immediate Actions Required
- Update The Cache Purger plugin to a version later than 2.3.20 once the vendor releases a patched build
- Audit existing WordPress user accounts and remove or downgrade unnecessary subscriber and contributor accounts
- Disable open user registration on sites that do not require it by unchecking Settings → General → Membership
- Back up wp-content/purge.log and other audit artifacts to an out-of-band location for forensic preservation
Patch Information
Refer to the WordPress Plugin Change Log for the vendor's remediation commit. The corrected handler must invoke a capability check such as current_user_can('manage_options') in addition to nonce validation before performing log deletion.
Workarounds
- Deactivate The Cache Purger plugin until a patched release is installed if audit log integrity is required for compliance
- Restrict access to /wp-admin/admin-ajax.php and /wp-admin/admin-post.php for non-administrator roles using a web application firewall rule that blocks requests containing action=tcp_log_purge from users without the manage_options capability
- Relocate the purge.log file to a directory outside the web root and set file permissions that prevent modification by the web server user, where the plugin configuration permits
# Example WAF rule concept blocking tcp_log_purge from non-admins
# (Pseudocode — adapt to your WAF syntax)
if request.uri matches "/wp-admin/admin-(ajax|post)\.php"
and request.body contains "action=tcp_log_purge"
and session.role != "administrator"
then deny 403
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

