WP Fastest Cache plugin bug exposes 600K WordPress sites to attacks

The WordPress plugin WP Fastest Cache is vulnerable to an SQL injection vulnerability that could allow unauthenticated attackers to read the contents of the site's database. WP Fastest Cache is a caching plugin used to speed up page loads, improve visitor experience, and boost the site's ranking on Google search. According to WordPress.org stats, it is used by more than a million sites. Download statistics from WordPress.org show that more than 600,000 websites still run a vulnerable version of the plugin and are exposed to potential attacks. Today, the WPScan team from Automattic disclosed the details of an SQL injection vulnerability, tracked as CVE-2023-6063 and with a high-severity score of 8.6, impacting all versions of the plugin before 1.2.2. SQL injection vulnerabilities occur when software accepts input that directly manipulates SQL queries, leading to running arbitrary SQL code that retrieves private information or command execution. In this case, the flaw impacts the 'is user admin' function of the 'WpFastestCacheCreateCache' class within the WP Fastest Cache plugin, which is intended to check if a user is an administrator by extracting the '$username' value from cookies. Because the '$username' input isn't sanitized, an attacker may manipulate this cookie value to alter the SQL query executes by the plugin, leading to unauthorized access to the database. WordPress databases typically include sensitive information like user data, account passwords, plugin and theme configuration settings, and other data necessary for the site's functions. WPScan will release a proof-of-concept exploit for CVE-2023-6063 on November 27, 2023, but it should be noted that the vulnerability isn't a complex one and hackers can figure out how to exploit it. A fix has been made available by the WP Fastest Cache developer in version 1.2.2, released yesterday. All users of the plugin are recommended to upgrade to the latest version as soon as possible. New WordPress backdoor creates rogue admin to hijack websites. Hackers exploit recent F5 BIG-IP flaws in stealthy attacks. Hackers exploit critical flaw in WordPress Royal Elementor plugin. Save $260 on this ChatGPT-powered WordPress plugin deal. Over 17,000 WordPress sites hacked in Balada Injector attacks last month.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000


Cyber News related to WP Fastest Cache plugin bug exposes 600K WordPress sites to attacks

WP Fastest Cache plugin bug exposes 600K WordPress sites to attacks - The WordPress plugin WP Fastest Cache is vulnerable to an SQL injection vulnerability that could allow unauthenticated attackers to read the contents of the site's database. WP Fastest Cache is a caching plugin used to speed up page loads, improve ...
11 months ago Bleepingcomputer.com
New Balada Injector campaign infects 6,700 WordPress sites - A little over 6,700 WordPress websites using a vulnerable version of the Popup Builder plugin have been infected with the Balada Injector malware in a campaign that launched in mid-December. Initially documented by researchers at Dr. Web who observed ...
10 months ago Bleepingcomputer.com
How Purge Cache Keeps Your Website Content Fresh and Responsive - By bringing content closer to each visitor, CDNs improve performance and reduce load on the origin server - caching is the raison d'etre for CDNs. The reason for this is a CDN's effectiveness can be measured by the cache hit ratio, which is the ...
10 months ago Imperva.com
WordPress fixes POP chain exposing websites to RCE attacks - WordPress has released version 6.4.2 that addresses a remote code execution vulnerability that could be chained with another flaw to allow attackers run arbitrary PHP code on the target website. WordPress is a highly popular open-source content ...
11 months ago Bleepingcomputer.com
4500+ WordPress Sites Hacked with a Monero Cryptojacking Campaign - Security researchers recently reported the discovery of a massive Monero hacking campaign targeted at WordPress sites. According to reports, more than 4500 WordPress sites were compromised with a malicious cryptocurrency-mining campaign. The hackers ...
1 year ago Thehackernews.com
CVE-2023-2813 - All of the above Aapna WordPress theme through 1.3, Anand WordPress theme through 1.2, Anfaust WordPress theme through 1.1, Arendelle WordPress theme before 1.1.13, Atlast Business WordPress theme through 1.5.8.5, Bazaar Lite WordPress theme before ...
1 year ago
Over 150k WordPress sites at takeover risk via vulnerable plugin - Two vulnerabilities impacting the POST SMTP Mailer WordPress plugin, an email delivery tool used by 300,000 websites, could help attackers take complete control of a site authentication. Last month, Wordfence security researchers Ulysses Saicha and ...
10 months ago Bleepingcomputer.com
Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware - Hackers are breaching WordPress sites by exploiting a vulnerability in outdated versions of the Popup Builder plugin, infecting over 3,300 websites with malicious code. The flaw leveraged in the attacks is tracked as CVE-2023-6000, a cross-site ...
8 months ago Bleepingcomputer.com
Google Chrome's new cache change could boost performance - Google is introducing a significant change to Chrome's Back/Forward Cache behavior, allowing web pages to be stored in the cache, even if a webmaster specifies not to store a page in the browser's cache. "Bfcache is an in-memory cache that stores a ...
11 months ago Bleepingcomputer.com
75K+ WordPress Sites Impacted by Critical Plugin Flaws - A large-scale breach has impacted more than 75,000 WordPress sites that are running an online course plugin. According to security researchers, the plugin has three critical vulnerabilities that could expose customer data and be used to take over ...
1 year ago Bleepingcomputer.com
WordPress Vulnerabilities, Exploiting LiteSpeed Cache and Email Subscribers Plugins - Learn about the critical vulnerabilities in LiteSpeed Cache and Email Subscribers plugins for WordPress, exploited by hackers to create admin account. In recent cybersecurity developments, hackers have been leveraging a critical vulnerability within ...
6 months ago Cysecurity.news
Developer Accounts Compromised Due to Credential Reuse in WordPress.org Supply Chain Attack - On June 24th, 2024, the Wordfence Threat Intelligence Team became aware of a WordPress plugin, Social Warfare, that was infected with malware through the WordPress repository. We immediately notified the WordPress Plugin's Team and they removed the ...
4 months ago Wordfence.com
CVE-2023-30853 - Gradle Build Action allows users to execute a Gradle Build in their GitHub Actions workflow. A vulnerability impacts GitHub workflows using the Gradle Build Action prior to version 2.4.2 that have executed the Gradle Build Tool with the configuration ...
1 year ago
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
WordPress Request Architecture and Hooks - Before diving into the security features of WordPress, it's critical to understand the underlying request architecture. WordPress is a dynamic system that processes and responds to user requests in various ways, depending on the nature of the request ...
4 months ago Wordfence.com
CVE-2024-50278 - In the Linux kernel, the following vulnerability has been resolved: dm cache: fix potential out-of-bounds access on the first resume Out-of-bounds access occurs if the fast device is expanded unexpectedly before the first-time resume of the cache ...
2 days ago Tenable.com
Type Juggling Leads to Two Vulnerabilities in POST SMTP Mailer WordPress Plugin - On December 14th, 2023, during our Bug Bounty Program Holiday Bug Extravaganza, we received a submission for an Authorization Bypass vulnerability in POST SMTP Mailer, a WordPress plugin with over 300,000+ active installations. This vulnerability ...
10 months ago Wordfence.com
CVE-2021-41589 - In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote code execution when running the build cache node with its default configuration. This configuration allows anonymous ...
3 years ago
Record Breaking $153,000+ Already Invested into the Security of the WordPress Ecosystem by Wordfence - In just a few short months since our launch in November of last year, the Wordfence Bug Bounty Program has already awarded over $153,000 in bounties to WordPress security researchers who have been responsibly reporting security issues in WordPress ...
8 months ago Wordfence.com
Fortinet warns of critical command injection bug in FortiSIEM - Fortinet is alerting customers of a critical OS command injection vulnerability in FortiSIEM report server that could be exploited by remote, unauthenticated attackers to execute commands through specially crafted API requests. FortiSIEM is a ...
11 months ago Bleepingcomputer.com
CVE-2021-24219 - The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before ...
2 years ago
CVE-2024-50279 - In the Linux kernel, the following vulnerability has been resolved: dm cache: fix out-of-bounds access to the dirty bitset when resizing dm-cache checks the dirty bits of the cache blocks to be dropped when shrinking the fast device, but an index bug ...
2 days ago Tenable.com
CVE-2021-24752 - Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top ...
2 years ago
30,000 WordPress Sites affected by Arbitrary SQL Execution Vulnerability Patched in Visualizer WordPress Plugin - On April 10th, 2024, during our second Bug Bounty Extravaganza, we received a submission for an authenticated SQL Execution vulnerability in Visualizer, a WordPress plugin with more than 30,000 active installations. Props to Krzysztof Zając who ...
6 months ago Wordfence.com
How to Prevent DNS Attacks: DNS Security Best Practices - To protect against attack, best practices must be applied to protect the DNS protocol, the server on which the DNS protocol runs, and all access to the DNS processes. Implementing these best practices will not only protect DNS but also network ...
11 months ago Esecurityplanet.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)