WordPress Plugin Vulnerabilities

WP Fastest Cache < 0.9.5 - Subscriber+ SQL Injection

Description

The plugin does not escape user input in the set_urls_with_terms method before using it in a SQL statement, leading to an SQL injection exploitable by low privilege users such as subscriber

Affects Plugins

Plugin icon
wp-fastest-cache
Fixed in 0.9.5

References

CVE
CVE-2021-24869
URL
https://jetpack.com/2021/10/14/multiple-vulnerabilities-in-wp-fastest-cache-plugin/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Marc Montpas
Submitter
Marc Montpas
Submitter website
https://jetpack.com/blog/
Submitter twitter
marcS0H
Verified
Yes
WPVDB ID
b2233795-1a32-45fc-9d51-b6bd0a073f5b

Timeline

Publicly Published
2021-10-14 (about 2 years ago)
Added
2021-10-15 (about 2 years ago)
Last Updated
2024-01-16 (about 3 months ago)

Other

Published
Title
Published
2023-06-23
Title
MStore API < 4.0.2 - Unauthenticated SQL Injection
Published
2022-04-25
Title
ARPrice Lite < 3.6.1 - Unauthenticated SQLi
Published
2021-12-21
Title
Asgaros Forum < 1.15.15 - Admin+ SQL Injection via forum_id
Published
2017-10-03
Title
Relevanssi <= 3.6.0 - Authenticated Admin SQL Injection
Published
2023-11-07
Title
Who Hit The Page – Hit Counter <= 1.4.14.3 - Authenticated (Administrator+) SQL Injection