WP Fastest Cache Plugin Exposes Over 600K+ WordPress Sites to SQL Injection Attacks

In a most up-to-the-minute trend, the WPScan crew has unearthed a significant security flaw within the widely-extinct WP Fastest Cache plugin.

This vulnerability, labeled as an unauthenticated SQL injection, could perhaps doubtlessly grant unauthorized earn entry to to sensitive records within the WordPress database.

The vulnerability, identified as CVE-2023-6063, affects versions of WP Fastest Cache decrease than 1.2.2.

Upon making this discovery one day of an internal review, the crew at WPScan acted by shock to portray the plugin’s trend crew.

In response, the builders promptly released version 1.2.2 to address and rectify the disaster.

Examining the vulnerability

The crux of the vulnerability lies within the is_user_admin procedure of the WpFastestCacheCreateCache class, which is susceptible to SQL injection.

This procedure is invoked from the createCache procedure, presenting a doable entry point for malicious actors.

Notably, the vulnerability is aggravated by the fact that the procedure is performed at plugin load time earlier than the applying’s records is sanitized by wp_magic_quotes().

To employ this vulnerability, an unauthenticated attacker could perhaps manipulate the $username variable, obtained from a explain cookie, to inject a time-essentially based entirely blind SQL payload.

This could perhaps, in flip, result within the extraction of sensitive data from the WordPress database.

Mitigation

Administrators utilizing WP Fastest Cache must take care of shut fast action by updating their installations to version 1.2.2.

This update serves as a truly significant safeguard towards doable exploitation of the identified vulnerability.

WPScan plans to submit an entry on Nov. 27, 2023, for extra minute print and proof-of-understanding illustrating this security instruct.

Internet hiss directors and customers alike are steered to protect vigilant and steered in regards to essentially the most up-to-the-minute security updates to kind obvious that the integrity and security of their WordPress installations.