![Largest Data Breaches in US History [Updated for 2023]](https://nulld3v.com/uploads/images/202311/image_430x256_654e69df8d469.jpg)
Bug in WP Fastest Cache plugin leaves 600K WordPress sites vulnerable to attacks
The WP Fastest Cache WordPress plugin is susceptible to an SQL injection vulnerability. This flaw could enable unauthenticated attackers to access and read the site's database contents. [...]
The widely-used WordPress plugin, WP Fastest Cache, has been identified as having a significant SQL injection vulnerability, posing a risk to over a million websites that utilize it. This plugin, known for enhancing website performance and Google search rankings through faster page load times, is currently installed on numerous sites, with over 600,000 still operating a vulnerable version.
Automattic's WPScan team recently disclosed the details of this vulnerability, designated as CVE-2023-6063, which carries a high-severity score of 8.6. The vulnerability affects all plugin versions prior to 1.2.2. SQL injection vulnerabilities arise when a program improperly processes user input, allowing attackers to execute arbitrary SQL commands. This could lead to unauthorized access to private information or the execution of unintended commands.
Specifically, the flaw is found in the 'is_user_admin' function of the 'WpFastestCacheCreateCache' class within the WP Fastest Cache plugin. This function, which is meant to verify if a user holds administrative privileges, extracts the '$username' value from user cookies, making it susceptible to exploitation. Users of the plugin are advised to update to the latest version to mitigate this security risk.
The vulnerability in the WP Fastest Cache WordPress plugin, tracked as CVE-2023-6063, stems from the lack of proper sanitization of the ‘$username’ input. This oversight allows an attacker to tamper with the cookie value, resulting in the modification and execution of SQL queries by the plugin. Such unauthorized access could potentially compromise the entire WordPress database.
Typically, a WordPress database contains critical and sensitive information, including user details (like IP addresses, email addresses, and user IDs), account passwords, as well as configurations for plugins and themes, all of which are essential for the website's operation.
Although WPScan plans to release a proof-of-concept (PoC) exploit for this vulnerability on November 27, 2023, the simplicity of the flaw means that attackers might independently develop methods to exploit it.
To address this security issue, the developer of WP Fastest Cache has released an update in version 1.2.2. It is crucial for all users of this plugin to update to the latest version immediately to safeguard their websites from potential exploitation.
