WordPress Plugin Vulnerabilities

WP Fastest Cache <= 0.8.7.4 - Blind SQL Injection

Description

Improper escaping of user input when deleting the cache of specific pages leads to SQL injection vulnerability. esc_sql() was used on input but the result was used unquoted in the constructed SQL query.

Proof of Concept

Affects Plugins

Plugin icon
wp-fastest-cache
Fixed in 0.8.7.5

References

URL
https://plugins.trac.wordpress.org/changeset/1771828/wp-fastest-cache
URL
https://plugins.trac.wordpress.org/changeset/1771564/wp-fastest-cache
URL
https://www.ripstech.com/php-security-calendar-2018/#Day21

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher
RIPS Technologies
Submitter
Karim El Ouerghemmi
Submitter website
https://ripstech.com
Verified
No
WPVDB ID
8beb9013-b36d-4d2d-9042-f1053e2ccf21

Timeline

Publicly Published
2018-02-22 (about 8 years ago)
Added
2018-02-25 (about 8 years ago)
Last Updated
2026-04-13 (about 29 days ago)

Other

Published
Title
Published
2014-08-01
Title
Couponer <= 1.2 - SQL Injection
Published
2026-01-20
Title
Koko Analytics < 2.1.3 - Unauthenticated SQL Injection
Published
2014-08-01
Title
Participants Database < 1.5.4.9 - Unauthenticated SQL Injection
Published
2024-07-15
Title
HUSKY - Products Filter Professional for WooCommerce < 1.3.6.1 - Unauthenticated Time-Based SQL Injection
Published
2020-07-18
Title
Email Subscribers & Newsletters < 4.5.1 - Authenticated SQL injection in es_newsletters_settings_callback()