PatchSiren cyber security CVE debrief
CVE-2026-15350 kevp75 CVE debrief
The Cache Purger plugin for WordPress has an authorization bypass vulnerability in all versions up to, and including, 2.3.20. This allows authenticated attackers with subscriber-level access and above to permanently truncate the plugin's cache-purge audit log, destroying the entire cache-purge audit history. The vulnerability exists due to the plugin not properly verifying that a user is authorized to perform an action. The tcp_log_purge nonce is rendered in the admin bar on frontend pages accessible to all authenticated users, including subscribers. This allows any authenticated user to possess the nonce required to trigger the deletion of the cache-purge audit log. Authenticated users with subscriber-level access and above on WordPress installations using The Cache Purger plugin version 2.3.20 or earlier should be aware of this vulnerability and take necessary actions to protect their sites.
- Vendor
- kevp75
- Product
- The Cache Purger
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Authenticated users with subscriber-level access and above on WordPress installations using The Cache Purger plugin version 2.3.20 or earlier should be aware of this vulnerability and take necessary actions to protect their sites. This includes reviewing and updating the plugin, monitoring for suspicious activity, and implementing additional security measures.
Technical summary
The vulnerability exists due to the plugin not properly verifying that a user is authorized to perform an action. The tcp_log_purge nonce is rendered in the admin bar on frontend pages accessible to all authenticated users, including subscribers. This allows any authenticated user to possess the nonce required to trigger the deletion of the cache-purge audit log. The Cache Purger plugin for WordPress has an authorization bypass vulnerability in all versions up to, and including, 2.3.20. This allows authenticated attackers with subscriber-level access and above to permanently truncate the plugin's cache-purge audit log, destroying the entire cache-purge audit history.
Defensive priority
Medium priority due to the CVSS score of 4.3 and the potential impact on site security and audit history.
Recommended defensive actions
- Update The Cache Purger plugin to a version that fixes the authorization bypass vulnerability.
- Review and monitor cache-purge audit logs for any suspicious activity.
- Restrict access to sensitive areas of the WordPress site to prevent unauthorized actions.
- Implement additional security measures to detect and prevent exploitation attempts.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-16T09:16:18.047Z and has not been modified since then. The NVD entry is currently in the 'Received' status. The Cache Purger plugin for WordPress has an authorization bypass vulnerability in all versions up to, and including, 2.3.20. This allows authenticated attackers with subscriber-level access and above to permanently truncate the plugin's cache-purge audit log, destroying the entire cache-purge audit history. The tcp_log_purge nonce is rendered in the admin bar on frontend pages accessible to all authenticated users, including subscribers. This allows any authenticated user to possess the nonce required to trigger the deletion of the cache-purge audit log. The vulnerability exists due to the plugin not properly verifying that a user is authorized to perform an action.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T09:16:18.047Z and has not been modified since then. The NVD entry is currently in the 'Received' status.