Multiple vulnerabilities in popular WordPress plugin WP Fastest Cache

Multiple vulnerabilities have been found in the popular WordPress plugin WP Fastest Cache during an internal audit by the Jetpack Scan team.

Jetpack reports that it found an Authenticated SQL Injection vulnerability and a Stored XSS (Cross-Site Scripting) via Cross-Site Request Forgery (CSRF) issue.

WP Fastest Cache

WP Fastest cache is a plugin that is most useful for WordPress-based sites that attract a lot of visitors. To save the RAM and CPU time needed to render a page, the plugin creates caches of static html files, so that the pages do not need to be rendered for every visit separately.

This results in a speed improvement which in turn improves the visitor experience and the SEO ranking of the site. WP Fastest Cache is open source software and comes in free and paid versions.

WP Fastest Cache currently has more than a million active installations according to its WordPress description page.

Authenticated SQL Injection vulnerability

This particular vulnerability can only be exploited on sites where the Classic Editor plugin is both installed and activated.  Classic Editor is an official plugin maintained by the WordPress team that restores the previous (“classic”) WordPress editor and the “Edit Post” screen.

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database, and has become a common issue with database-driven web sites. This bug could grant attackers access to privileged information from the affected site’s database, such as usernames and (hashed) passwords.

Stored XSS issue

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This one is listed as CVE-2021-24869 and received a CVSS score of 9.6 out of 10.

Cross-site request forgery (CSRF), also known as one-click attack or session riding, is a type of exploit of a website where unauthorized commands are submitted from a user that the web application trusts. A CSRF attack forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering, an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is an administrative account, CSRF can compromise the entire web application.

Cross-Site Scripting (XSS) is a vulnerability that exploits the client environment within the browser, allowing an attacker to inject arbitrary code onto the target’s instance and environment. Basically the application does not process received information as intended. An attacker can use such a vulnerability to create input that allows them to inject additional code into a website.

In this case it was possible due to a lack of validation during user privilege checks. The plugin allowed a potential attacker to perform any desired action on the target website. Hence, an adversary could even store malicious JavaScript code on the site. Which in case of an online shop could be a web skimmer designed to retrieve customer payment information.

Mitigation

Website owners should download and install the latest version of the WP Fastest Cache plugin (version 0.9.5) in which these vulnerabilities have been fixed. Jetpack recommends users update as soon as possible, as both vulnerabilities have a high technical impact if exploited. At the time of writing 650,000 instances were still on a vulnerable version.

For more general tips on how to secure you CMS, we recommend reading our article on How to secure your content management system.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.