Unauthenticated SQL Injection Vulnerability Addressed in WP Fastest Cache 1.2.2

During an internal review of the WP Fastest Cache plugin, the WPScan team discovered a serious SQL injection vulnerability. This vulnerability may allow unauthenticated attackers to read the full contents of the WordPress database using a time‑based blind SQL injection payload.

Upon discovering the vulnerability, we promptly alerted the plugin development team, who released version 1.2.2 to fix the issue. It is crucial for administrators to ensure their WordPress installations are fully updated to safeguard against this vulnerability.

Unauthenticated SQL Injection

The is_user_admin function of the WpFastestCacheCreateCache class is vulnerable to SQL Injection. The function is called from the createCache function.

        public function is_user_admin(){
            global $wpdb;

            foreach ((array)$_COOKIE as $cookie_key => $cookie_value){
                if(preg_match("/wordpress_logged_in/i", $cookie_key)){
                    $username = preg_replace("/^([^\|]+)\|.+/", "$1", $cookie_value);
                    break;
                }
            }

            if(isset($username) && $username){            
                $res = $wpdb->get_var("SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`, `$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value`
                                       FROM `$wpdb->users`
                                       INNER JOIN `$wpdb->usermeta`
                                       ON `$wpdb->users`.`user_login` = \"$username\" AND
                                       `$wpdb->usermeta`.`meta_key` LIKE \"%_user_level\" AND
                                       `$wpdb->usermeta`.`meta_value` = \"10\" AND
                                       `$wpdb->users`.`ID` = `$wpdb->usermeta`.user_id ;"
                                    );

                return $res;
            }

            return false;
        }

The function retrieves the $username variable from any cookie with the text wordpress_logged_in in its name, retrieving everything up to the first | character. The variable is then inserted into the query without escaping. Note that this function is called at plugin load time, which is before wp_magic_quotes() has been called on the request data.

Since the results from the SQL query are not used anywhere outside of this function, there is no direct way to retrieve them. However, a time‑based blind SQL injection payload can easily extract any information from the database using this vulnerability.

The proof‑of‑concept for this vulnerability will be available in the WPScan entry for the vulnerability on Nov. 27, 2023.

Credits

Original researcher: Alex Sanford

Many thanks to the rest of the WPScan team for their invaluable feedback, assistance, and corrections.