2 min Security

Bug in WordPress plugin exposes 600,000 vulnerable websites

Bug in WordPress plugin exposes 600,000 vulnerable websites

A plugin to make WordPress sites load faster is vulnerable to an SQL injection attack. WP Fastest Cache is deployed by more than a million websites. The majority of these sites (600,000) are still running a vulnerable version.

It’s easy to see why WP Fastest Cache is so popular: its creators promise to reduce website RAM and CPU usage upon use. Since Google counts site speed for its search results rankings, it is an extremely attractive plugin for end users. It is also easy to install, as is more often the case with WordPress solutions like this one.

Patching, patching, patching

It seems that many users that have installed it, have been failing to update the plugin consistently. The WordPress website shows that 44.9 percent are running version 1.2, although it does not show who has in fact made the important update to 1.2.2 specifically, which fixed the bug. However, more and more users are downloading updated versions of the plugin shortly after each release.

The WPScan security team discovered the SQL injection vulnerability during an internal investigation. Exploiting the bug allows attackers to read the “entire contents of the WordPress database” with an SQL injection payload. This allows a malicious party to leak, modify or delete information. Private data also potentially becomes unintentionally viewable in such an attack.

Also read: Thousands of hacked WordPress sites redirect visitors to scam sites

Specifically, the vulnerability affects the is_user_admin function within the ‘WpFastestCacheCreateCache’ class in the plugin. There, the plugin checks via the $username value whether a user belongs to the administrators. The problem is that this input was not further verified in versions prior to 1.2.2.

The vulnerability is now known as CVE-2023-6063. No further information is available on CVE.org at the time of writing, although it is already updated elsewhere.

SQL injections affect all kinds of applications, including this year’s managed file transfer application MOVEit. Numerous customer data was lost there as a result of a vulnerability in May.

Tip: How the MOVEit vulnerability has been making victims since May 2023