From PHP to C: A Cache Odyssey

🚀 Nginx Cache Purge Preload — v2.1.4

Where Scripts End, safexec Begins.

🛠️ 48 files changed  |  ➕ 9,140 lines  |  ➖ 1,854 lines — Refactored. Reinforced. Ready.

---

✨ What’s New

🔎 Nginx Cache Analyzer (major)

The Advanced Tab is now a unified cache dashboard.

• See one clean list merging your last Preload crawl with what’s currently in cache — HITs and MISSes side-by-side.
• Treat it like a site-crawl snapshot: review your actual Nginx cache state and act in one place.
• Instantly spot MISS pages and Preload or Purge specific URLs on the spot to keep performance sharp.

---

🛡️ safexec (major) — hardened shell backend

• New privilege-dropping wrapper (written in C) that safely runs commands used by the NPP (replaces raw shell_exec paths).
• Drops privileges to a low-privilege user (nobody) and scrubs the environment.
• Normalizes URLs during Preload to avoid encoding-based cache misses.
• Control percent-encoding behavior during Preload:
  • OFF, PRESERVE, UPPER, LOWER.

Recommended for users concerned about shell execution.
See Help Tab → safexec for details or deep dive here.

---

🔁 Purge Scope: Related Pages (major)

Credit: @pasqualerussi ➡️

• When purging a URL (manually or via auto-purge on content updates), optionally also purge related areas:
  • Homepage, Shop, Category archives, etc.
• After purge, the plugin can immediately Preload those related URLs so they’re warm again in cache.

---

🧭 Setup Wizard & Assume-Nginx (major)

Credit: @FrAllard ➡️

• A guided first-run Setup Wizard for quick, safe configuration.
• Assume-Nginx Mode for environments where detection fails or nginx.conf isn’t accessible (proxies/CDNs, containers, Plesk/cPanel).
• Auto-disables Assume-Nginx mode when a real nginx.conf is detected.
• Improved detection using HTTP headers and system signals.

---

⚙️ Performance, UX & Compatibility

• Significant disk I/O optimizations for large sites.
• Toast notifications and UI polish.
• Better Elementor / Gutenberg compatibility for Auto Purge.
• Numerous bug fixes, security hardening, and a fresh header animation for NPP.

---

🧩 Where to Find Things

• Cache Analyzer: Advanced Tab
• safexec & URL-encoding modes: Help Tab → safexec (and Preload settings)
• Purge Scope (Related Pages): Settings → Purge / Auto-Purge
• Setup Wizard / Assume-Nginx: Appears on first run or when detection is inconclusive

---

🔄 Upgrade Notes (Recommended)

1. Update the plugin to v2.1.4 as usual.
2. Visit Settings → Purge / Auto-Purge and review Purge Scope options.
3. In Preload settings, choose the URL Normalization mode that fits your site.
4. If prompted, run the Setup Wizard (or enable Assume-Nginx Mode if your environment hides nginx.conf).
5. Open Advanced Tab → Cache Analyzer to take a quick snapshot of current HIT/MISS and optionally Preload misses.

---

🙏 Credits

Huge thanks to everyone who tested and shared feedback — and special shout-outs to @pasqualerussi and @FrAllard for their contributions. 💙

---

📜 Changelog (Short)

• Add: Nginx Cache Analyzer (Advanced Tab) with unified HIT/MISS dashboard.
• Add: safexec privilege-dropping wrapper; URL percent-encoding control for Preload.
• Add: Purge Scope (Related Pages) on manual and auto-purge + optional instant Preload.
• Add: Setup Wizard + Assume-Nginx mode, with auto-disable when real nginx.conf is detected.
• Improve: Nginx detection via headers and system signals.
• Improve: Disk I/O performance for large sites.
• Improve: Elementor/Gutenberg auto-purge compatibility; UI with toast notifications.
• Fix: Various bugs and security hardening.
• Polish: New header animation and minor UI tweaks.

🔒 Security Patch for CVE-2025-6213

== Changelog ==

= 2.1.3 =

Release date: 2025-07-22

Security

🛡️ Fixed CVE-2025-6213: Authenticated RCE via unsanitized $_SERVER['HTTP_REFERER']

Patched improper usage of the referrer header in nppp_preload_cache_on_update() and admin-bar.php.
The value of $_SERVER['HTTP_REFERER'] is now safely sanitized using esc_url_raw( wp_unslash(...) ), validated with filter_var(), checked for same-site origin, and filtered for shell command injection.

🔗 Patch commits: efdd1bf - admin-bar.php 712d737 - preload.php --> GHSA-636g-ww4c-2j54

🔧 Patch Details

The following input hardening and mitigations were implemented:

• Sanitized the referrer using esc_url_raw( wp_unslash( $_SERVER['HTTP_REFERER'] ) )
• Applied FILTER_VALIDATE_URL to enforce valid structure
• Checked for same-origin policy enforcement via wp_parse_url() domain match
• Introduced a command injection character filter (preg_match() blacklist) to block dangerous input like &, |, ;, <, >, etc.

🧩 Affected Versions

• ✅ Fixed in: v2.1.3
• ❌ Vulnerable: All versions <= 2.1.2

🔗 References

• 🧑‍💻 Vulnerability discovery by: @cynau1t cynau1t (TianGong)
• 🧷 CVE ID: CVE-2025-6213
• 🧠 Advisory: Wordfence Security Advisory
• 🔐 GitHub Advisory Database: GHSA-7653-r8cq-rf8w

Core

• Fixed: UTF-8 decoded URLs are now correctly displayed in the Advanced tab for improved readability (Credit: @XCJYO)
• Fixed: Percent-encoded URL normalization (uppercase vs lowercase) to prevent cache miss via mismatched encodings (Credit: @XCJYO)
• Fixed: Fatal error in CLI context caused by undefined FS_CHMOD_FILE when running WP-CLI (Reported by: @sergeybv)
• Fixed: Preload completion time and last preload timestamp now display accurately
• Fixed: Addressed several WordPress Plugin Check (PCP) compatibility warnings and false positives
• Added: Real-time Preload Progress Monitor in the Status tab, with visual feedback and progress bar
• Added: Proxy support for preload operations, including validation and status checks
• Compatibility: Tested with WordPress 6.8.2