Hadrian Logo
Platform

Vulnerability Alerts

2 mins

High-severity vulnerability found in WP Fastest Cache WordPress plugin

A vulnerability has been discovered in the WP Fastest Cache plugin that allows unauthenticated attackers to read the contents of the site’s database. 

Hadrian recommends updating WP Fastest Cache to version 1.2.2 or greater.

What is the WP Fastest Cache vulnerability?

The WP Fastest Cache vulnerability (CVE-2023-6063) is an SQL injection vulnerability that could allow unauthenticated attackers to read the contents of the site’s database. SQL injection attacks are a type of attack that allow SQL queries to be manipulated to read and modify data, exfiltrate files or execute commands.

This particular vulnerability could allow an attacker to gain unauthorized access to a database. The flaw lies in the is_user_admin function of the WpFastestCacheCreateCache class of the plugin. The function is intended to check the $username value from any cookie with the text wordpress_logged_in in its name. However, the input is not sanitized which could allow an attacker to alter the value and gain access to WordPress databases.

WordPress databases can contain sensitive information such as user data, account passwords, plugin details and configuration settings.  Alex Sanford at WPScan discovered this vulnerability. What has yet to be confirmed is the exploitability. WPScan will publish a proof of concept on 27 November.  

What does WP Fastest Cache do?

WP Fastest Cache is an optimization tool that improves a website's performance and reduces the system load serving a webpage. Site speed is important to many administrators because Google’s search ranking algorithm considers page load time as a factor. System load is significant because it allows a server to support more simultaneous page requests.

The utility of the plugin has led to its widespread adoption. Statistics available on WordPress.org show that WP Fastest Cache has been downloaded over 45 million times and is actively used on over a million sites.  Bleeping Computer has reported that the vulnerability impacts 600 thousand websites.

Hadrian's recommendations

The plugin should be immediately updated to version 1.2.2, which was released on 13th November. 

WordPress is often targeted because it is used on over 40% of all websites and has a large number of 3rd party plugins. Threat actors commonly use poorly maintained plugins as a vector when launching their attacks.

Organizations should implement an external exposure management solution to identify risks before they are exploited. Get in touch with our experts to learn more.

Related articles

New vulnerability discovered in WordPress plugin

Vulnerability Alerts

2 mins

New vulnerability discovered in WordPress plugin

A critical vulnerability has been uncovered within the WordPress plugin called Advanced Custom Fields (ACF), placing over 2 million websites at risk.

Olivier Beg
Olivier Beg - Head of Hacking
Remote working at Hadrian

Inside Hadrian

3 mins

What it’s like working remotely at Hadrian

Birrighinde shares how remote working at Hadrian facilitates flexibility, autonomy and productivity as a recruiter.

Birrighinde
Birrighinde - Senior Recruiter
Designing with customer experience in mind

Inside Hadrian

4 mins

Designing with customer experience in mind

UX/UI Designer Yujie shares her journey to Hadrian and how she builds the Hadrian platform with optional usability and visibility.

Yujie
Yujie - UX/UI Designer

Book a demo

Get started scanning in 5 minutes

We only need your domain for our system to get started autonomously scanning your attack surface.

Book a demo

dashboard