WordPress Plugin Vulnerability Report – WP Fastest Cache – Unauthenticated SQL Injection – CVE-2023-6063

Plugin Name: WP Fastest Cache

Key Information:

  • Software Type: Plugin
  • Software Slug: wp-fastest-cache
  • Software Status: Active
  • Software Author: emrevona
  • Software Downloads: 45,149,633
  • Active Installs: 1,000,000
  • Last Updated: November 13, 2023
  • Patched Versions: 1.2.2
  • Affected Versions: <= 1.2.1

Vulnerability Details:

  • Name: WP Fastest Cache <= 1.2.2 - Unauthenticated SQL Injection
  • Title: Unauthenticated SQL Injection
  • Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • CVE: CVE-2023-6063
  • CVSS Score: 9.8 (Critical)
  • Publicly Published: November 13, 2023
  • Researcher: Alex Sanford
  • Description: The WP Fastest Cache plugin for WordPress is vulnerable to SQL Injection via the '$username' variable retrieved via user cookies in all versions up to, and including, 1.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Summary:

The WP Fastest Cache plugin for WordPress has a vulnerability in versions up to and including 1.2.1 that allows unauthenticated SQL injection. This vulnerability has been patched in version 1.2.2.

Detailed Overview:

The WP Fastest Cache plugin is vulnerable to SQL injection in versions up to and including 1.2.1, allowing unauthenticated attackers to inject malicious SQL queries via the '$username' variable retrieved from user cookies. Due to insufficient escaping of the '$username' parameter and lack of query preparation, attackers can append extra SQL statements to extract sensitive information from the database. This was publicly disclosed by researcher Alex Sanford on November 13, 2023 and affects over 1 million active plugin installations. It has been assigned a critical CVSS score of 9.8.

Advice for Users:

  1. Immediate Action: Update to version 1.2.2 as soon as possible.
  2. Check for Signs of Compromise: Review your site for any unauthorized changes or strange behavior. Check for additional admin accounts.
  3. Alternate Plugins: Consider using alternate cache plugins like WP Rocket or WP Super Cache as a precaution.
  4. Stay Updated: Always keep your plugins updated to avoid vulnerabilities.

Conclusion:

The quick response by the WP Fastest Cache developers to patch this critical SQL injection vulnerability shows their commitment to security. Users should update as soon as possible to version 1.2.2 or later to protect their WordPress sites.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-fastest-cache

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-fastest-cache/wp-fastest-cache-122-unauthenticated-sql-injection

Detailed Report:

Keeping your WordPress website secure should be a top priority for any website owner. Unfortunately, vulnerabilities in popular plugins can put your site at risk if left unpatched. One such vulnerability was recently disclosed in the WP Fastest Cache plugin, used on over 1 million websites. This critical vulnerability allows attackers to inject malicious SQL code into vulnerable sites to extract sensitive information from databases. With website hacks and data breaches on the rise, it's crucial to stay on top of plugin updates and quickly patch any discovered flaws.

WP Fastest Cache is a widely used caching plugin developed by emrevona to improve WordPress site performance. The recently discovered vulnerability affects versions up to and including 1.2.1 which has over 45 million downloads and 1 million active installs.

This vulnerability allows unauthenticated SQL injection via the '$username' variable retrieved from user cookies. Due to insufficient validation, attackers can inject additional SQL queries to extract sensitive information from the database like user credentials, contact forms, or payment details. It has been assigned a critical severity score of 9.8 out of 10.

Successful attacks could lead to data breaches, theft of sensitive user information, unauthorized access, defacement, and other malicious actions. Website owners using vulnerable versions of WP Fastest Cache should update to version 1.2.2 immediately to patch this vulnerability. You should also check your site for any unauthorized changes and strange behavior.

This is not the first vulnerability found in WP Fastest Cache. There have been over 30 other vulnerabilities disclosed in the plugin since 2015 which highlights the security risks of outdated plugins.

The quick response by the WP Fastest Cache developers to patch this critical SQL injection vulnerability shows their commitment to security. However, the ongoing discovery of flaws reinforces the need for users to constantly stay on top of updates.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

WordPress Plugin Vulnerability Report – WP Fastest Cache – Unauthenticated SQL Injection – CVE-2023-6063 FAQs

Leave a Comment