Wednesday, May 18th, 2022

WP Fastest Cache Patch Proven SQL Injection and Stored XSS via CSRF Vulnerability – WP Tavern

The Jetpack Scan team recently published a summary of two issues discovered in the WP Fastest Cache plugin – a certified SQL injection vulnerability and an archived XSS Via CSRF vulnerability.

“If exploited, the SQL injection bug could give attackers access to privileged information from the affected site’s databases (eg, usernames and hashed passwords),” said Mark Montpas, Automated Security Research Engineer. This particular vulnerability can only be exploited on sites where the Classic Editor plugin is both installed and activated.

“Successfully exploiting CSRF and archived XSS vulnerabilities will enable bad actors to take any action they have allowed a targeted logged-in administrator to take on the target site,” Montpas said. He also found that the attacker “Abuse some of these options to store fake JavaScript on the affected website.”

WP Fastest Cache is active on over 1 million WordPress sites, and the plugin also reports 58,322 paid users. Plugin author Emre Vona fixed the vulnerabilities in version 0.9. Jetpack advises users to update as soon as possible, as both vulnerabilities have high technical implications if they are exploited.

Source link