Question 1

What is the SpeedyCache plugin?

Accepted Answer

What is the SpeedyCache plugin?

The SpeedyCache plugin is a popular WordPress caching and performance optimization tool developed by softaculous. It speeds up sites by setting up caches to serve pages faster instead of requiring full page builds and database queries each time. Over 740,000 sites have downloaded SpeedyCache to improve performance.

Question 2

How serious is this vulnerability?

Accepted Answer

How serious is this vulnerability?

This vulnerability enables denial-of-service attacks that could disable sites, so it should be taken seriously. However, it requires an authenticated user account and does not lead directly to data exposure or takeovers. The main risk is hampering availability by overloading resources with unnecessary caches rather than more serious impacts. Still, even short outages can harm productivity and revenue.

Question 3

How does the vulnerability work?

Accepted Answer

How does the vulnerability work?

The flaw occurs because the speedycache_create_test_cache function fails to check user permissions before generating sample caches. This oversight allows accounts with just subscriber access to create caches, not only administrators. Since caches consume server resources, attackers could create many to overwhelm sites and cause crashes or failed page loads.

Question 4

What versions of SpeedyCache are affected?

Accepted Answer

What versions of SpeedyCache are affected?

All versions up to and including 1.1.2 contain this vulnerability. Version 1.1.3 patches it by adding capability checks to prevent unauthorized cache generation. Users of any build up to 1.1.2 should upgrade immediately.

Question 5

What should I do if I have an affected version?

Accepted Answer

What should I do if I have an affected version?

If your site runs any SpeedyCache version up to and including 1.1.2, you should update to 1.1.3 promptly. Deleting and reinstalling the plugin can also force it to the latest build if automatic updates are disabled. Check that 1.1.3 or higher appears under Installed Plugins after addressing the issue to confirm your site is no longer vulnerable.

Question 6

How do I know if someone has tried to exploit this on my site?

Accepted Answer

How do I know if someone has tried to exploit this on my site?

Review your SpeedyCache logs for any unauthorized attempts to utilize the speedycache_create_test_cache function and generate sample caches without permission to access this feature. However, attackers may also simply create caches anonymously through normal means once logged into accounts with subscriber roles. Monitor overall cache creation as well.

Question 7

Are other caching plugins affected?

Accepted Answer

Are other caching plugins affected?

No, this vulnerability is limited to SpeedyCache. Other popular caching plugins like WP Rocket, WP Fastest Cache, and Cache Enabler are not reported to contain related flaws. Still, always ensure any plugin impacting security, speed, or availability stays updated, especially ones controlling server-intensive functionality like caching and optimization.

Question 8

What other SpeedyCache vulnerabilities were recently patched?

Accepted Answer

What other SpeedyCache vulnerabilities were recently patched?

In version 1.1.1, SpeedyCache fixed an authenticated SQL injection vulnerability allowing database queries and site takeovers in some circumstances. Cross-site scripting flaws leading to stored attacks were also addressed earlier in 2023. Proper updating would have protected against these issues as well.

Question 9

Who discovered this vulnerability?

Accepted Answer

Who discovered this vulnerability?

Researchers at Wordfence Threat Intelligence originally detected and disclosed this vulnerability after auditing SpeedyCache’s source code through their plugin security analysis program. Wordfence responsibly reported it to the developers so a patch could be prepared without exposing sites during this process.

Question 10

Why stay on top of plugin updates and security notices?

Accepted Answer

Why stay on top of plugin updates and security notices?

The regular discovery of flaws even in popular plugins highlights why ignoring update notices and security warnings can be disastrous. While manually reviewing every plugin code change is unrealistic for small sites, making sure to apply maintenance and version releases tagged “security” should become standard practice. This often prevents serious issues that would otherwise lead to outages and emergency troubleshooting under pressure. Following best practices proactively saves time and stress down the road.

disabled

WordPress Plugin Vulnerability Report – SpeedyCache – Missing Authorization via speedycache_create_test_cache

Recent Blog Posts

LiteSpeed Cache Vulnerability – Unauthenticated Sensitive Information Exposure via Log Files – CVE-2024-44000 | WordPress Plugin Vulnerability Report

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Vulnerability – Authenticated (Contributor+) Information Disclosure – CVE-2024-7418 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy