NewsWeb DevelopmentWordPress

The WordPress Cache Plugin Exploit Affects Over a Million Websites

WP Fastest Cache WordPress plugin flaws can result in full site takeover and password leaks.

A well-known WordPress plugin Jetpack security researchers discovered multiple vulnerabilities in the WP Fastest Cache plugin that could allow an attacker to assume full administrator privileges. Over a million WordPress installations are affected by the exploits.

Vulnerabilities in the WP Fastest Cache Plugin

WP Fastest Cache is a WordPress plugin that is used by over a million WordPress websites. The plugin generates an HTML static version of the website.

Several vulnerabilities have been discovered:

  • Authenticated SQL Injection
  • Stored XSS via Cross-Site Request Forgery

Authenticated SQL Injection

Authenticated SQL Injection enables logged-in users to gain access to administrator-level information in the database.

A SQL Injection vulnerability is an attack directed at the database, which stores website elements such as passwords.

A successful SQL Injection attack could result in the complete takeover of a website.

The severity of the vulnerability was described in the Jetpack security bulletin:

“If exploited, the SQL Injection bug could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).

It can only be exploited if the classic-editor plugin is also installed and activated on the site.”

Stored XSS via Cross-Site Request Forgery

XSS (Cross-site Scripting) vulnerabilities are a relatively common vulnerability caused by a flaw in how website inputs are validated. Anywhere a user can enter information into a website, such as a contact form, is vulnerable to an XSS attack if the input is not sanitized.

Sanitized refers to limiting what can be uploaded to a limited expected input, such as text, rather than scripts or commands. An incorrect input allows an attacker to inject malicious scripts, which can then be used to attack site visitors, such as the administrator, and do things like download malicious files to their browser or intercept their credentials.

Read How to Run an Outreach Link Building Campaign?

Cross-Site Request Forgery occurs when an attacker deceives a user, such as a logged-in administrator, into visiting the site and performing various actions.

These flaws are dependent on the classic-editor plugin being installed and the attacker has some kind of user authentication, making them more difficult to exploit.

However, these vulnerabilities remain serious, and Jetpack recommends that users update their WP Fastest Cache plugin to at least version 0.95.

On October 14, 2021, WP Fastest Cache version 0.95 was released.

Jetpack claims that:

“If exploited, the SQL Injection bug could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).

Successfully exploiting the CSRF & Stored XSS vulnerability could enable bad actors to perform any action the logged-in administrator they targeted is allowed to do on the targeted site.”

Warning Regarding Jetpack Security Research

Jetpack’s security researchers recommend that all users of the WP Fastest Cache WordPress plugin update their plugin immediately.

Jetpack security researchers published:

“We recommend that you check which version of the WP Fastest Cache plugin your site is using, and if it is less than 0.9.5, update it as soon as possible!”

Need help with our free SEO tools? Try our free Backlink Maker, Backlink Checker, Broken Links Finder.

Learn more about WordPress and read YouTube Removes Dislike Counts From All Videos.

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button