facebook no scriptFastest Cache, a WP Plugin detected with SQL Injection & XSS Vulnerability allowing admin access | Secure Blink
WordPress
Plugin Vulnerability
CSRF
Fastest Cache, a WP Plugin detected with SQL Injection & XSS Vulnerability allowing admin access
A security audit revealed SQL injection and Stored XSS via CSRF vulnerabilities in WordPress fastest cache plugin affecting versions below 0.9.5...
thumbnail
Team SecureBlink
17 Oct 2021
2 min read

Researchers at Jetpack uncovered multiple vulnerabilities in WordPress Fastest Cache plugin during an internal audit. The first vulnerability was SQL Injection; if exploited, it could allow attackers to access sensitive information from affected sites’ databases. A site can be exposed to this vulnerability only if the classic-editor plugin is also installed and activated. Secondly, they also discovered a stored XSS via CSRF; this could enable threat actors to carry out any action the logged-in administrator targeted has the permission to do.


Technical Analysis


Authenticated SQL Injection


This vulnerability, tracked as CVE-2021-24869 affects versions less than 0.9.5, has a CVSS (Common Vulnerability Scoring System) score of 7.7.


public static function set_urls_with_terms(){
        global $wpdb;
        $terms = $wpdb->get_results("SELECT * FROM `".$wpdb->prefix."term_relationships` WHERE `object_id`=".static::$id, ARRAY_A);
 
        foreach ($terms as $term_key => $term_val){
                static::set_term_urls($term_val["term_taxonomy_id"]);
        }
}

The set_urls_with_terms function directly concatenates static::$id to a SQL query; this will allow users to store arbitrary values in that place. The static function set_id does check the provided ID points to validly published posts, but this isn’t enough to validate that it only contains that ID.


public static function set_id(){
        if(isset($_GET["post"]) && $_GET["post"]){
                static::$id = esc_sql($_GET["post"]);
 
                if(get_post_status(static::$id) != "publish"){
                        static::$id = 0;
                }
        }
}

Stored XSS via CSRF Vulnerability tracked as CVE-2021-24869 again affects systems less than the 0.9.5 version but has a CVSS rating of 9.6.


AJAX action, wp_ajax_wpfc_save_cdn_integration uses the CdnWPFC::savecdnintegration() to set up the CDN-specific options. This performs privilege checks to ensure who sent the requests but does not validate the changes they intended to make. Experts further observed that the threat actors could abuse some of these options to store malicious javascript on the affected website.


We recommend that you check which version of the WP Fastest Cache plugin your site is using, and if it is less than 0.9.5, update it as soon as possible the blog concluded.