Injection vulnerabilities in popular WordPress plugin could expose credentials, allow admin access
15 October 2021 at 12:41 UTC
Updated: 15 October 2021 at 13:55 UTC
Fastest Cache is used by more than one million websites
Vulnerabilities in a popular WordPress plugin Fastest Cache could allow an attacker to gain access to credentials and takeover an admin account.
The security flaws in the extension, which has more than one million active downloads, were discovered during an internal audit of the software by Jetpack Security.
The first flaw, an SQL injection vulnerability which has a CVSS score of 7.7, could grant attackers access to privileged information from an affected site’s database, for example usernames and hashed passwords.
This SQL injection bug can only be exploited if the classic-editor plugin is also installed and activated on the site.
Researchers also found a cross-site scripting (XSS) bug via a cross-site request forgery (CSRF) flaw that has a CVSS score of 9.6. Exploitation of this vulnerability would allow an attacker to perform the same actions as their victim, potentially an admin user, had privileges to enact.
A timeline also showed that it took less than five weeks from initial contact with the vendor for them to fix the issue.
Fastest Cache users are urged to update to the latest version 0.9.5 to protect against these various vulnerabilities.
“We recommend that you check which version of the WP Fastest Cache plugin your site is using, and if it is less than 0.9.5, update it as soon as possible!” the blog reads.