Contact Information

152 W Park Ave #150
El cajon CA 92020

We Are Available 24/ 7. Call Now.

#Security #Audit #Reveals #Major #Vulnerability #Popular #WordPress #Plugin #Update #ASAP

Cartoonish image of a PC with a vulnerability.

WP Fastest Cache, a WordPress plugin currently in use by over 1 million users that assists in more efficiently delivering their websites, is addressing a security issue with its 1.2.2 release. This update addresses an SQL injection vulnerability found during an internal review by the WPScan team. The vulnerability made it possible for an unauthenticated attacker to access the entirety of a WordPress database with timebased blind SQL injection payload.

The WP Fastest Cache development team was immediately alerted to this vulnerability by WPScan, which lead to the 1.2.2 update that contains the fix for this issue. It’s strongly recommended that WordPress administrators who have this plugin currently installed apply the update as quickly as possible to minimize any harm to their websites.

Computer code on a black screen.

WPScan went into the nitty gritty details regarding the vulnerability, explaining how a function found in the plugin’s code is the culprit. According to WPScan, “The function retrieves the $username variable from any cookie with the text wordpress_logged_in in its name, retrieving everything up to the first | character. The variable is then inserted into the query without escaping. Note that this function is called at plugin load time, which is before wp_magic_quotes() has been called on the request data.”

Since the results from the SQL query are not used anywhere outside of this function, there is no direct way to retrieve them. However, a timebased blind SQL injection payload can easily extract any information from the database using this vulnerability.”

WPScan is a WordPress security service that scans for vulnerabilities in the popular content management system, and maintains a database that catalogs 43,655 WordPress core, plugin, and theme vulnerabilities.



Entrepreneur Creative Designer @al.janahy Founder of @inkhost another face of I hope to stay passionate in what I doing

Leave a Reply

Your email address will not be published. Required fields are marked *