Bug in WP Fastest Cache plugin left 600K WordPress sites vulnerable

Hackers may be able to access the site’s database contents due to a SQL injection vulnerability in the WordPress plugin WP Fastest Cache.

A caching plugin called WP Fastest Cache is used to enhance user experience, accelerate page loading, and raise the website’s Google search engine rating. Statistics from WordPress.org show that over a million websites utilize it.

More than 600,000 websites still use a vulnerable version of the plugin, leaving them open to possible assaults, according to download data provided by WordPress.org.

Automatic’s WPScan team revealed today the specifics of a SQL injection vulnerability that affects all plugin versions prior to 1.2.2. The vulnerability is identified as CVE-2023-6063 and has a high severity level of 8.6.

Vulnerabilities related to SQL injection arise when programs take in input that directly modifies SQL queries. This may result in the execution of arbitrary SQL code that can extract confidential data or carry out commands.

The WP Fastest Cache plugin’s “is_user_admin” function, which pulls the “$username” value from cookies to determine whether a user is an administrator, is affected by this vulnerability in this instance.