WP Fastest Cache <= 0.8.9.0 – Unauthenticated Arbitrary File Deletion | CVE 2019-6726 | Plugin Vulnerabilities

Description

According to the original researcher:

"Although a successful exploit leads to data loss and potentially a DoS against the website, because wordpress won't find important files to run, there are several requirements which need to be met:

- WP Fastest Cache is installed and the cache is activated
- Wordpress is configured to use 'pretty' URL schemes, like /<data>/<title> etc.
- WP Postratings [1] is installed
- At least one ratable post or page was published"

Affects Plugins

wp-fastest-cache

Fixed in 0.8.9.1

References

CVE

URL

https://packetstormsecurity.com/files/#152042/

URL

https://0day.work/cve-2019-6726-arbitrary-file-deletion-in-wp-fastest-cache-0-8-8-1/

URL

https://seclists.org/fulldisclosure/2019/Mar/17

Miscellaneous

Original Researcher

Sebastian Neef

Submitter

Ryan Dewhurst

Submitter twitter

Verified

No

WPVDB ID

0983ead6-81b1-43b1-ac35-088291b933ab

Timeline

Publicly Published

2019-03-10 (about 7 years ago)

Added

2019-03-10 (about 7 years ago)

Last Updated

2026-04-13 (about 29 days ago)

Other

Published

Title

Published

2024-01-16

Title

Author Box, Guest Author and Co-Authors for Your Posts – Molongui < 4.7.5 - Information Exposure via ma_debug

Published

2020-02-05

Title

Events Manager < 5.9.7.2 - CSV Injection

Published

2025-01-30

Title

HT Event – WordPress Event Manager Plugin for Elementor <= 1.4.7 - Authenticated (Contributor+) Sensitive Information Exposure via HT Event: Sponsor

Published

2014-08-01

Title

Wordpress <= 2.8.3 - Remote Admin Password Reset

Published

2015-07-08

Title

Child Theme Creator by Orbisius < 1.2.8 - Arbitrary File Write