WP Fastest Cache Plugin Exposes Over 600K+ WordPress Sites

WP Fastest Cache Plugin Exposes Over 600K+ WordPress Sites to SQL Injection Attacks

In a recent development, the WPScan team has unearthed a significant security flaw within the widely-used WP Fastest Cache plugin. 

This vulnerability, categorized as an unauthenticated SQL injection, could potentially grant unauthorized access to sensitive data in the WordPress database.

The vulnerability, identified as CVE-2023-6063, affects versions of WP Fastest Cache lower than 1.2.2. 

Upon making this discovery during an internal review, the team at WPScan acted swiftly to inform the plugin’s development team. 

In response, the developers promptly released version 1.2.2 to address and rectify the issue.

Examining the vulnerability

The crux of the vulnerability lies in the is_user_admin function of the WpFastestCacheCreateCache class, which is susceptible to SQL injection. 

This function is invoked from the createCache function, presenting a potential entry point for malicious actors.

Document

Protect Your Storage With SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.


Notably, the vulnerability is aggravated by the fact that the function is executed at plugin load time before the application’s data is sanitized by wp_magic_quotes().

To exploit this vulnerability, an unauthenticated attacker could manipulate the $username variable, obtained from a specific cookie, to inject a time-based blind SQL payload. 

This could, in turn, lead to the extraction of sensitive information from the WordPress database.

Mitigation

Administrators utilizing WP Fastest Cache must take immediate action by updating their installations to version 1.2.2. 

This update serves as a crucial safeguard against potential exploitation of the identified vulnerability.

WPScan plans to publish an entry on Nov. 27, 2023, for further details and proof-of-concept illustrating this security concern. 

Website administrators and users alike are advised to stay vigilant and informed about the latest security updates to ensure the integrity and security of their WordPress installations.

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.

Next Post

Best Phone to Buy for 2023

Sun Nov 26 , 2023
We test every phone in real-world scenarios, focusing on its features, design, performance, cameras, battery life and overall value. We document our findings in an initial review that is periodically updated when there are new software updates, or to compare it against new phones from competitors such as Apple, Samsung, […]
Best Phone to Buy for 2023

You May Like

About

muryou-erogazou.net provide by The top global media Technology, Gadget, Website, SEO, Internet Marketing,Digital marketing.