Connect with us

News

WP Fastest Cache Patches Authenticated SQL Injection and Stored XSS Via CSRF Vulnerabilities

Published

on

WP Fastest Cache Patches Authenticated SQL Injection and Stored XSS Via CSRF Vulnerabilities


The Jetpack Scan team has published a summary of two issues recently discovered in the WP Fastest Cache plugin – an Authenticated SQL Injection vulnerability and a Stored XSS Via CSRF vulnerability.

“If exploited, the SQL Injection bug could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords),” Automattic security research engineer Marc Montpas said. This particular vulnerability can only be exploited on sites where the Classic Editor plugin is both installed and activated.

“Successfully exploiting the CSRF and Stored XSS vulnerability could enable bad actors to perform any action the logged-in administrator they targeted is allowed to do on the targeted site,” Montpas said. He also found that attackers could “abuse some of these options to store rogue Javascript on the affected website.”

WP Fastest Cache is active on more than 1 million WordPress sites, and the plugin also reports 58,322 paid users. Emre Vona, the plugin’s author, patched the vulnerabilities in version 0.9.5, released this week. Jetpack recommends users update as soon as possible, as both vulnerabilities have a high technical impact if exploited.



Source link

Continue Reading
Click to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.