https://jetpack.com/2021/10/14/multiple-vulnerabilities-in-wp-fastest-cache-plugin/ Menu * Products + [security] Security Protect your site o [backup] Backup Save every change o [scan] Scan Stay one step ahead of threats o [anti-spam] Anti-spam Stop comment and form spam + [performanc] Performance Speed up your site o [search] Site Search Help them find what they need o [boost] Boost Instant speed and SEO o [video] VideoPress High-quality, ad-free video + [growth] Growth Grow your audience o [crm] CRM Connect with your people * Pricing * Support * Blog * Get started * [jetpack-blog-malware-header-6] Multiple vulnerabilities in WP Fastest Cache plugin Posted on October 14, 2021 by Marc Montpas During an internal audit of the WP Fastest Cache plugin, we uncovered an Authenticated SQL Injection vulnerability and a Stored XSS ( Cross-Site Scripting) via Cross-Site Request Forgery (CSRF) issue. If exploited, the SQL Injection bug could grant attackers access to privileged information from the affected site's database (e.g., usernames and hashed passwords). It can only be exploited if the classic-editor plugin is also installed and activated on the site. Successfully exploiting the CSRF & Stored XSS vulnerability could enable bad actors to perform any action the logged-in administrator they targeted is allowed to do on the targeted site. We reported the vulnerabilities to this plugin's author via email, and they recently released version 0.9.5 to address them. We strongly recommend that you update to the latest version of the plugin and have an established security solution on your site, such as Jetpack Security. Details Plugin Name: WP Fastest Cache Plugin URI: https://wordpress.org/plugins/wp-fastest-cache/ Author: https://www.wpfastestcache.com/ The Vulnerabilities Authenticated SQL Injection Affected versions: < 0.9.5 CVE-ID: CVE-2021-24869 CVSSv3.1: 7.7 CWSS: 73.6 public static function set_urls_with_terms(){ global $wpdb; $terms = $wpdb->get_results("SELECT * FROM `".$wpdb->prefix."term_relationships` WHERE `object_id`=".static::$id, ARRAY_A); foreach ($terms as $term_key => $term_val){ static::set_term_urls($term_val["term_taxonomy_id"]); } } The set_urls_with_terms method directly concatenates static::$id to an SQL query, which is an issue since any logged-in users can store arbitrary values in that property, via the SinglePreloadWPFC::set_id () method. This method is executed when the admin_notices WordPress action is run. public static function set_id(){ if(isset($_GET["post"]) && $_GET["post"]){ static::$id = esc_sql($_GET["post"]); if(get_post_status(static::$id) != "publish"){ static::$id = 0; } } } Although set_id checks that the provided ID points to a valid, published post using the get_post_status() function, this isn't enough to validate that it only contains that ID. The get_post_status() function eventually uses get_post() internally, which casts the ID it receives to integer before querying the database for the related post. Simply put, if the ID provided is 1234 OR 1=1, get_post_status() will retrieve the status of the post whose ID is 1234, but 1234 OR 1=1 is going to be concatenated to the vulnerable SQL query in SinglePreloadWPFC::set_urls_with_terms(). Stored XSS Via CSRF Affected versions: < 0.9.5 CVE-ID: CVE-2021-24869 CVSSv3.1: 9.6 CWSS: 74.7 The CdnWPFC::save_cdn_integration() method is used by the wp_ajax_wpfc_save_cdn_integration AJAX action to set-up CDN-specific options. While it did perform privilege checks like current_user_can () to ensure whoever sent that request is allowed to change those settings, it did not validate that they intended to, which is what nonce checks do. Furthermore, we discovered that attackers could potentially abuse some of these options to store rogue Javascript on the affected website. Timeline The authors were initially reluctant to acknowledge the CSRF issue, but after obtaining a second opinion from the WordPress plugin team, they fixed it in version 0.9.5. 2021-09-28 - Initial contact with WP Fastest Cache 2021-09-29 - We send them details about these vulnerabilities 2021-10-01 - We share with them a video proof of concept to demonstrate the risk CSRF pose 2021-10-01 - We reach out to the WordPress plugin team for help 2021-10-11 - WP Fastest Cache 0.9.5 is released Conclusion We recommend that you check which version of the WP Fastest Cache plugin your site is using, and if it is less than 0.9.5, update it as soon as possible! At Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. Jetpack Security is one great WordPress security option to ensure your site and visitors are safe. Credits Original researcher: Marc Montpas Thanks to the rest of the Jetpack Scan team for feedback, help, and corrections. This entry was posted in scan, Security, Vulnerabilities and tagged Jetpack, scan, Security. Bookmark the permalink. Explore the benefits of Jetpack Learn how Jetpack can help you protect, speed up, and grow your WordPress site. Compare plans Share this * Facebook * Twitter * WhatsApp * More * * LinkedIn * Email * * Print * Pinterest * * Tumblr * Reddit * * Pocket * Like this: Like Loading... Related Have a question? Comments are closed for this article, but we're still here to help! Visit the support forum and we'll be happy to answer any questions. View support forum Search for: [ ] [Search] Get news & tips from Jetpack Enter your email address to follow this blog and receive news and updates from Jetpack! Join 110,229 other followers Email Address: [ ] Subscribe Browse by topic * Affiliates (2) * Analytics (5) * Code snippets (31) * Contribute (8) * Customer Stories (6) * Ecommerce (6) * Events (7) * Features (54) * Grow (11) * hosting (1) * Innovate (8) * Jetpack News (38) * Learn (35) * Meet Jetpack (14) * Performance (12) * Photos & Videos (5) * Promotions (1) * Releases (152) * scan (1) * Search Engine Optimization (10) * Security (48) * Small Business (17) * Social Media (11) * Support Stories (3) * Tips & Tricks (85) * Uncategorized (2) * Utilities & Maintenance (6) * Vulnerabilities (11) * Website Design (10) * WordAds (1) * WordCamp (6) en Product * Tour * Security * Pricing * News * About * Mobile app * Privacy Policy * Privacy Notice for California Users * Terms of Service Support & Resources * Knowledge Base * Forums * Contact Us * Press * Theme Showcase * Security Library * Business Guide * Hosting Guide Developers * Developers Site * Beta Program * Contribute to Jetpack * Developer Network * Work With Us More from Jetpack * Jetpack CRM Partnerships * Become an Affiliate * Become an Agency * Become a Partner * Listing Criteria WordPress Logo Powering WordPress.com We are hiring PHP developers. Join us! Send to Email Address [ ] Your Name [ ] Your Email Address [ ] [ ] loading [Send Email] Cancel Post was not sent - check your email addresses! Email check failed, please try again Sorry, your blog cannot share posts by email. %d bloggers like this: [b]