One of the most popular WordPress Cache plugins found at risk of security vulnerabilities. The vulnerabilities were found in the WP Fastest Cache plugin which has over 1 million active sites using it.
The issues 1. Authenticated SQL Injection vulnerability and 2. A Stored XSS (Cross-Site Scripting) via Cross-Site Request Forgery (CSRF) issue. The issues were reported by Jetpack on October 14th through a post.
The post explains more about the details of the two vulnerabilities. Which have the same CVE ID (CVE-2021-24869), but different descriptions and CVSS scores (7.7 / “High” and 9.6 / “Critical”).
More on the Vulnerabilities
Authenticated SQL Injection
Affected versions: < 0.9.5
CVE-ID: CVE-2021-24869
CVSSv3.1: 7.7
CWSS: 73.6
The SQL Injection flaw, if exploited, might provide attackers access to sensitive information from the vulnerable site’s database (e.g., usernames and hashed passwords). It only used if the classic-editor plugin also installed and enabled on the site.
Stored XSS Via CSRF
Affected versions: < 0.9.5
CVE-ID: CVE-2021-24869
CVSSv3.1: 9.6
CWSS: 74.7
Successfully exploiting the CSRF and Stored XSS vulnerabilities may allow bad actors to take any activity that the logged-in administrator they targeted permitted to perform on the targeted site.
If you haven’t upgraded the plugin yet, we strongly advise you to do so right now. Please verify if you are using 0.9.5; if you are using any of the versions below, please update immediately.
Such vulnerabilities already reported in WordPress plugins. One plugin, Access Demo Importer, was discovered to have a security problem this month. If exposed, the flaw might allow attackers with subscriber-level access to upload arbitrary files, potentially resulting in remote code execution.
Before that, we reported two issues in the WooCommerce Multi-Currency plugin and Form Plugin. In addition, to learn more about these issues you can check those links.
Follow us on Facebook, Twitter to stay updated on the latest plugin vulnerabilities, guides about WordPress and WooCommerce.
You may also like:
 
  
  
  
  
 