Warning - Unauthenticated SQL injection in WP Fastest Cache (WordPress plugin)
CVE-2023-6063
8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
Sources
https://nvd.nist.gov/vuln/detail/CVE-2023-6063
Risks
Successful exploitation of CVE-2023-6063 may allow unauthenticated attackers to read the full contents of the WordPress database using a time‑based blind SQL injection payload. This has a high impact on data confidentiality.
Description
WP Fastest Cache is a WordPress cache and speed optimization plugin with over 1 million active deployments.
Version 1.2.1 and earlier of this plugin are vulnerable to an unauthenticated SQL injection attack. A time‑based blind SQL injection payload can extract any information from the database using this vulnerability.
This issue was identified by a security researcher. At the time of publication they were not aware of any exploitation in the wild. Since this plugin has a large install base and a PoC is available, future exploitation is to be expected.
Recommended Actions
The Centre for Cybersecurity Belgium strongly recommends administrators of systems with this plugin installed to take the following actions:
Patch
These vulnerabilities are fixed in WP Fastest Cache v1.2.2. Patch after thorough testing and keep an eye out for future security bulletins.
Monitor/Detect
Please ensure proper monitoring is in place to detect anomalies in your network such unauthorized database access .
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise. In case of earlier exploitation, consider all secrets present in the WordPress database as compromised and rotate these.