Skip to content

Releases: psaux-it/nginx-fastcgi-cache-purge-and-preload

🔒 Security Patch for CVE-2025-6213

23 Jul 01:21
@hsntgm hsntgm
v2.1.3
3d65243
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
🔒 Security Patch for CVE-2025-6213 Latest
Latest

== Changelog ==

= 2.1.3 =

Release date: 2025-07-22

Security

🛡️ Fixed CVE-2025-6213: Authenticated RCE via unsanitized $_SERVER['HTTP_REFERER']

Patched improper usage of the referrer header in nppp_preload_cache_on_update() and admin-bar.php.
The value of $_SERVER['HTTP_REFERER'] is now safely sanitized using esc_url_raw( wp_unslash(...) ), validated with filter_var(), checked for same-site origin, and filtered for shell command injection.

🔗 Patch commits: efdd1bf - admin-bar.php 712d737 - preload.php --> GHSA-636g-ww4c-2j54

🔧 Patch Details

The following input hardening and mitigations were implemented:

  • Sanitized the referrer using esc_url_raw( wp_unslash( $_SERVER['HTTP_REFERER'] ) )
  • Applied FILTER_VALIDATE_URL to enforce valid structure
  • Checked for same-origin policy enforcement via wp_parse_url() domain match
  • Introduced a command injection character filter (preg_match() blacklist) to block dangerous input like &, |, ;, <, >, etc.

🧩 Affected Versions

  • Fixed in: v2.1.3
  • Vulnerable: All versions <= 2.1.2

🔗 References

Core

  • Fixed: UTF-8 decoded URLs are now correctly displayed in the Advanced tab for improved readability (Credit: @XCJYO)
  • Fixed: Percent-encoded URL normalization (uppercase vs lowercase) to prevent cache miss via mismatched encodings (Credit: @XCJYO)
  • Fixed: Fatal error in CLI context caused by undefined FS_CHMOD_FILE when running WP-CLI (Reported by: @sergeybv)
  • Fixed: Preload completion time and last preload timestamp now display accurately
  • Fixed: Addressed several WordPress Plugin Check (PCP) compatibility warnings and false positives
  • Added: Real-time Preload Progress Monitor in the Status tab, with visual feedback and progress bar
  • Added: Proxy support for preload operations, including validation and status checks
  • Compatibility: Tested with WordPress 6.8.2

Contributors

sergeybv and XCJYO
Assets 3
Loading

The Sky Has Broken

23 Jun 15:59
@hsntgm hsntgm
v2.1.2
1d47d60
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
The Sky Has Broken

== Changelog ==

= 2.1.2 =

Release date: 2025-06-23

  • Fix leaking HTML into WP core API responses
  • Fix plugin name under Settings menu
  • Fix mobile layout issues
  • Fix plugin not a valid header issue
  • Fix Status tab render issue
  • Fix Auto Purge triggers twice
  • Bump external assets to latest versions
  • Tested with WordPress 6.8.1
Loading

There Are Names We Must Leave Behind to Keep Breathing

28 Apr 00:15
@hsntgm hsntgm
v2.1.1
3149a18
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
There Are Names We Must Leave Behind to Keep Breathing

== Changelog ==

= 2.1.1 =

Release date: 2025-03-17

  • Changed plugin name to “Nginx Cache Purge Preload”
  • Other minor improvements
Loading

If you go out, you come back, and you come back to an empty house, and now it's loneliness again; it feels as though you've been dumped in the deep end, and there's nobody there to rescue you; it's just something that is thrown at you, you can't throw it back to anybody, and all you can do is just carry on.

24 Feb 04:00
@hsntgm hsntgm
v2.1.0
cabe025
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
If you go out, you come back, and you come back to an empty house, and now it's loneliness again; it feels as though you've been dumped in the deep end, and there's nobody there to rescue you; it's just something that is thrown at you, you can't throw it back to anybody, and all you can do is just carry on.

== Changelog ==

= 2.1.0 =

Release date: 2025-02-23

Major Release: 46 files changed, 5,170 additions, 1,410 deletions.
Now fully supports internationalization, enabling complete translation for a global user base.

  • Added support for internationalization (i18n).
  • Added support for Nginx cache for PROXY, SCGI, and uWSGI.
  • Added support for Nginx cache status widget in the WordPress dashboard.
  • Added support for deep hash linking with jQuery UI Tabs.
  • Added support for better UI/UX for various elements.
  • Improved compatibility with containerized environments. (Marc-Antoine Lalonde, Pawel Strzyzewski)
  • Resolved issue where auto purge was not working on post/page content updates.
  • Resolved issue where theme switch or theme update triggered purge and preload actions twice.
  • Resolved issue where tabs were stuck and hanging on switch with admin bar and internal clicks
  • Resolved issue with preload process completion time accuracy.
  • Resolved issue with plugin tracking cron event handling.
  • Resolved issues with false detections inside the Status Tab.
  • Resolved issue with front-end action messages for better clarity.
  • Resolved various PCP (Plugin Check) errors.
  • Resolved issue with false positives in certain validation checks.
  • Resolved issue with preload features not being disabled correctly.
  • Resolved issue with WP purge handling and process exits.
  • Resolved issue with page reload time.
  • Updated error and success messages for clarity.
  • Updated external assets to latest versions.
  • Updated Plugin logo and plugin header assets.
  • Updated plugin readme.txt
Loading