What the vulnerability does
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Media WP Rocket allows Stored XSS.This issue affects WP Rocket: from n/a through 3.19.4.
CVE-2026-28044
MEDIUM
CVE-2026-28044: WordPress WP Rocket plugin <= 3.19.4 - Cross Site Scripting (XSS) vulnerability
CVSS base score
5.9/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Key dates
Disclosure timeline
March 19, 2026
CVE published
April 28, 2026
Record updated
