Exploiting SQL Injection in WP Fastest Cache (CVE-2023–6063)

In the ever-changing digital landscape, safeguarding the security of our online assets is of utmost importance. WordPress, a major player in web development, recently faced a significant security challenge with a critical vulnerability in one of its widely-used plugins — WP Fastest Cache. Discovered by the diligent WPScan team from Automattic, this vulnerability poses a serious threat to the security of over a million websites. In this article, we explore the specifics of the issue and underscore the pressing need for website owners to take immediate action.

Uncovering the Vulnerability

WP Fastest Cache, a caching plugin designed to optimize website performance and user experience, is a staple for many website administrators. Startlingly, recent statistics from WordPress.org reveal that over 600,000 websites are still running versions of the plugin vulnerable to a severe security flaw.

The WPScan team’s disclosure on [current date] outlines the vulnerability as CVE-2023–6063, assigning it a high-severity score of 8.6. This vulnerability affects all plugin versions released before the recent fix introduced in version 1.2.2.

Grasping SQL Injection Vulnerabilities

SQL injection vulnerabilities are a well-known risk in the cybersecurity realm. They occur when software fails to adequately validate user input, allowing malicious actors to manipulate SQL queries directly. In the context of WP Fastest Cache, the vulnerability resides in the ‘is_user_admin’ function of the ‘WpFastestCacheCreateCache’ class. This function, responsible for checking if a user is an administrator, extracts the ‘$username’ value from cookies without proper sanitization.

The Exploitation Risk

The unsanitized ‘$username’ input becomes a potential entry point for unauthorized access. Malicious actors can exploit this cookie value to manipulate the SQL query executed by the plugin, potentially gaining access to sensitive information stored in the website’s database.

Urgent Response Needed

Given the disclosure of this vulnerability, the need for swift action is paramount. The WPScan team plans to release a proof-of-concept (PoC) exploit for CVE-2023–6063 on November 27, 2023. However, the simplicity of the vulnerability implies that attackers may exploit it even before the official PoC release.

The Solution: Update to Version 1.2.2

In response to the severity of the situation, the developers of WP Fastest Cache acted promptly to address the vulnerability. Version 1.2.2, released on [previous date], contains the necessary fixes. Website owners are strongly encouraged to update their plugins to this latest version promptly to ensure the security of their sites.

Exploitation PoC:

  1. Plugin setting

Enable “WP Fastest Cache”

PoC

The “wordpress_logged_in” cookie parameter is vulnerable.

python sqlmap.py --dbms=mysql -u "http://127.0.0.1/wordpress/wp-login.php" --cookie='wordpress_logged_in=*' --level=2 --banner

Mitigation:

The update’s commit message, “Security Enhancements,” suggests a vulnerability fix. Our AI system detected the change as a potential vulnerability fix in a WordPress plugin update. The altered SQL statement in the is_user_admin() function in /inc/cache.php seems ineffective, as it uses prepared statements without separating data, serving no purpose.

And here is the new code:

You can see $wpdb->prepare() is now used, but isn’t utilized.

The change that addresses the vulnerability, though not ideally, is the usage esc_sql() on the variable $username. That variable comes from user input.

In Conclusion

The identification of a critical SQL injection vulnerability in WP Fastest Cache serves as a stark reminder of the perpetual vigilance required in the digital realm. Website owners must prioritize security measures, regularly updating plugins and systems to stay ahead of potential threats. By taking immediate action and updating to version 1.2.2, WordPress site administrators can protect their websites from the imminent threat posed by this critical vulnerability.

Linkedin:- sandeepvishwakarma1

For personalize training Contact : sv110040@gmail.com