WordPress Cache Plugin Exploit Affects +1 Million Websites

Popular WordPress plugin WP Fastest Cache plugin was discovered by Jetpack security researchers to have multiple vulnerabilities that could allow an attacker to assume full administrator privileges. The exploits affect over a million WordPress installations.

WP Fastest Cache Plugin Vulnerabilities Description

WP Fastest Cache is a WordPress plugin used by over a million WordPress websites. The plugin creates a static HTML version of the website.

There are multiple vulnerabilities that were discovered:

  • Authenticated SQL Injection
  • Stored XSS via Cross-Site Request Forgery

Authenticated SQL Injection

The Authenticated SQL Injection allows a logged-in users to access administrator level information through the database.

A SQL Injection vulnerability is an attack that’s directed at the database, which is where the website elements, including passwords, are stored.

A successful SQL Injection attack could lead to a full website takeover.

The Jetpack security bulletin described the seriousness of the vulnerability:

“If exploited, the SQL Injection bug could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).

It can only be exploited if the classic-editor plugin is also installed and activated on the site.”

Stored XSS via Cross-Site Request Forgery

XSS (Cross-site Scripting) vulnerabilities is a somewhat common vulnerability that results from a flaw in how inputs to the website are validated. Anywhere a user can input something to a website, like a contact form, can be vulnerable to an XSS attack if the input isn’t sanitized.

Sanitized means to restrict what can be uploaded to a limited expected input, like text and not scripts or commands. A flawed input allows an attacker to inject malicious scripts that can then be used to attack users who visit the site, like the administrator, and do things like download malicious files to their browser or intercept their credentials.

Cross Site Request Forgery is when an attacker tricks a user, like a logged-in administrator, to visit the site and execute various actions.

These vulnerabilities depend on the classic-editor plugin being installed and that the attacker has some kind of user authentication, which makes it harder to exploit.

But these vulnerabilities are still serious and Jetpack recommends users upgraded their plugin to at least version 0.95 of WP Fastest Cache.

WP Fastest Cache version 0.95 was released on October 14, 2021.

According to Jetpack:

“If exploited, the SQL Injection bug could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).

Successfully exploiting the CSRF & Stored XSS vulnerability could enable bad actors to perform any action the logged-in administrator they targeted is allowed to do on the targeted site.”

Jetpack Security Research Warning

The security researchers at Jetpack recommend that all users of WP Fastest Cache WordPress plugin updated their plugin right away.

The Jetpack security researchers posted:

“We recommend that you check which version of the WP Fastest Cache plugin your site is using, and if it is less than 0.9.5, update it as soon as possible!”

Citation

Read the Jetpack Security Announcement About WP Fastest Cache Plugin

Multiple Vulnerabilities in WP Fastest Cache Plugin