CVE-2025-58807

HIGH

Dsingh Purge Varnish Cache <2.6 - CSRF

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-58807. PoCs published by erikharden.

AI-analyzed exploit summary This repository provides a detailed technical analysis and patch for CVE-2025-58807, a CSRF vulnerability in the Purge Varnish Cache WordPress plugin. The vulnerability arises from loose equality comparison in PHP, allowing invalid nonces to be treated as valid, thus bypassing CSRF protection.

Description

Cross-Site Request Forgery (CSRF) vulnerability in Dsingh Purge Varnish Cache purge-varnish allows Stored XSS.This issue affects Purge Varnish Cache: from n/a through <= 2.6.

Exploits (1)

nomisec WRITEUP
by erikharden · poc
https://github.com/erikharden/purge-varnish-csrf-advisory

This repository provides a detailed technical analysis and patch for CVE-2025-58807, a CSRF vulnerability in the Purge Varnish Cache WordPress plugin. The vulnerability arises from loose equality comparison in PHP, allowing invalid nonces to be treated as valid, thus bypassing CSRF protection.

Classification
Writeup 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Purge Varnish Cache WordPress plugin version 2.6 and earlier
No auth needed
Prerequisites: An authenticated WordPress administrator session · Ability to lure the administrator to a crafted URL or HTML page
devstral-2 · analyzed Jun 05, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.1
EPSS 0.0012
EPSS Percentile 2.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (1)
Dsingh/Purge Varnish Cache < 2.6
Published Sep 05, 2025
Tracked Since Feb 18, 2026