sábado, dezembro 9, 2023

WP Quickest Cache plugin bug exposes 600K WordPress websites to assaults

WP Fastest Cache plugin bug exposes 600K WordPress sites to attacks

The WordPress plugin WP Quickest Cache is weak to an SQL injection vulnerability that might permit unauthenticated attackers to learn the contents of the positioning’s database.

WP Quickest Cache is a caching plugin used to hurry up web page masses, enhance customer expertise, and increase the positioning’s rating on Google search. Based on WordPress.org stats, it’s utilized by greater than one million websites.

Obtain statistics from WordPress.org present that greater than 600,000 web sites nonetheless run a weak model of the plugin and are uncovered to potential assaults.

Right now, the WPScan group from Automattic disclosed the small print of an SQL injection vulnerability, tracked as CVE-2023-6063 and with a high-severity rating of 8.6, impacting all variations of the plugin earlier than 1.2.2.

SQL injection vulnerabilities happen when software program accepts enter that instantly manipulates SQL queries, resulting in operating arbitrary SQL code that retrieves personal data or command execution.

On this case, the flaw impacts the ‘is_user_admin’ perform of the ‘WpFastestCacheCreateCache’ class throughout the WP Quickest Cache plugin, which is meant to test if a person is an administrator by extracting the ‘$username’ worth from cookies.

The vulnerable function
The weak perform (WPScan)

As a result of the ‘$username’ enter isn’t sanitized, an attacker could manipulate this cookie worth to change the SQL question executes by the plugin, resulting in unauthorized entry to the database.

WordPress databases sometimes embrace delicate data like person information (IP addresses, emails, IDs), account passwords, plugin and theme configuration settings, and different information mandatory for the positioning’s capabilities. 

WPScan will launch a proof-of-concept (PoC) exploit for CVE-2023-6063 on November 27, 2023, but it surely must be famous that the vulnerability isn’t a posh one and hackers can determine how you can exploit it.

A repair has been made accessible by the WP Quickest Cache developer in model 1.2.2, launched yesterday. All customers of the plugin are beneficial to improve to the newest model as quickly as potential.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles