A popular plugin for the WordPress website builder appears to be carrying a major flaw that could allow threat actors to steal sensitive data from the website’s database.
Research by Plugin Vulnerabilities, a platform that analyzes the security of WordPress plugins found that the developer of WP Fastest Cache (a WordPress plugin with more than a million installs) recently committed a change to the plugin in the Subversion repository underlying the WordPress Plugin Directory. This fix addressed an SQL injection vulnerability that allowed threat actors to run arbitrary SQL code on the website, effectively allowing them to read the contents of the WordPress database.
The researchers also created a proof of concept to confirm that the flaw can be abused in the wild.
Is there a fix?
The bad news was that, at publication time, the developer didn’t release a new version of the plugin, making the fix unavailable to the public.
The latest version, at the time of writing, was 1.2.1, which is why the researchers suggested users disable the plugin, or manually replace it with something else, until a fix is available. However, the Fastest Cache website states version 1.2.2 to be the latest one, so it could be that the developer pushed the update live in the meantime.
Unfortunately, there are practically no details in the changelog, with the developer only stating that certain “security enhancements” had been made, so it’s difficult to determine if the issue had been addressed or not. Plugin Vulnerabilities reached out to the developer Emre Vona to notify him of the flaw.
There are also no details on the support forum.
WordPress is generally considered a safe website builder, but among the thousands of plugins, both free and commercial, there are many that are flawed and are being used to compromise hundreds of websites, daily.
