CATEGORIES
home News

Security Audit Reveals Major Vulnerability In A Popular WordPress Plugin, Update ASAP

by Alan VelascoWednesday, November 15, 2023, 12:05 PM EDT
Cartoonish image of a PC with a vulnerability.
WP Fastest Cache, a WordPress plugin currently in use by over 1 million users that assists in more efficiently delivering their websites, is addressing a security issue with its 1.2.2 release. This update addresses an SQL injection vulnerability found during an internal review by the WPScan team. The vulnerability made it possible for an unauthenticated attacker to access the entirety of a WordPress database with timebased blind SQL injection payload.

The WP Fastest Cache development team was immediately alerted to this vulnerability by WPScan, which lead to the 1.2.2 update that contains the fix for this issue. It’s strongly recommended that WordPress administrators who have this plugin currently installed apply the update as quickly as possible to minimize any harm to their websites.


Computer code on a black screen.

WPScan went into the nitty gritty details regarding the vulnerability, explaining how a function found in the plugin’s code is the culprit. According to WPScan, "The function retrieves the $username variable from any cookie with the text wordpress_logged_in in its name, retrieving everything up to the first | character. The variable is then inserted into the query without escaping. Note that this function is called at plugin load time, which is before wp_magic_quotes() has been called on the request data."

Since the results from the SQL query are not used anywhere outside of this function, there is no direct way to retrieve them. However, a timebased blind SQL injection payload can easily extract any information from the database using this vulnerability.”

WPScan is a WordPress security service that scans for vulnerabilities in the popular content management system, and maintains a database that catalogs 43,655 WordPress core, plugin, and theme vulnerabilities.

Tags:  vulnerability, WordPress, plugin
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment