The Super Page Cache plugin for WordPress contains a Stored Cross-Site Scripting vulnerability in its Activity Log that could allow attackers to gain administrative access.

This vulnerability is a Stored Cross-Site Scripting (XSS) flaw within the plugin's Activity Log feature. An attacker can submit malicious data that is recorded in the log; when an administrator views the Activity Log in the WordPress dashboard, the malicious script executes in their browser context.

This flaw is particularly dangerous because it specifically targets administrators who are performing routine maintenance. Successful exploitation can lead to complete site compromise, as the attacker’s script runs with administrative privileges, allowing for the creation of new admin accounts or the modification of site files. The CVSS score is 7.2 (High).

Immediate Action: Update the Super Page Cache plugin to the latest version immediately to secure the Activity Log functionality.

Proactive Monitoring: Review the plugin's Activity Log for any unusual entries or script fragments and monitor for unauthorized changes to the WordPress configuration.

Compensating Controls: Implement a Web Application Firewall (WAF) to filter malicious payloads in HTTP requests before they can be recorded in application logs.

Public Exploit Available: false

Due to the direct threat to administrative accounts, this vulnerability requires immediate attention. IT teams should update the Super Page Cache plugin to the latest version across all WordPress installations. Failure to patch may result in a complete compromise of the WordPress environment when administrators view system logs.