WP Fastest Cache Vulnerabilities Discovered

In September 2021, security researchers at Jetpack discovered two critical vulnerabilities in a previous version of the popular WordPress plugin WP Fastest Cache after performing an in-depth code audit. This plugin creates a static, HTML version of the WordPress user’s website, and was developed to help WordPress site owners improve their site’s security performance.

Ironically enough, for a short period of time security performance was impacted on some sites with the plugin installed. Attackers taking advantage of these newfound vulnerabilities could be allowed full, unmitigated administrator privileges to any WordPress site with the Classic Editor plugin installed, allowing them to do anything an authorized admin could do.

Although the vulnerabilities have since been fixed, the WP Fastest Cache plugin has been downloaded and installed onto WordPress sites over one million times—there’s no telling how many installations have yet to be updated.

Digging Deeper Into WP Fastest Cache’s Exposed Vulnerabilities

The WP Fastest Cache vulnerabilities include:

• SQL injection: This vulnerability directed at the site owner’s database allows any users who are logged into WordPress to be given information—including usernames and passwords—which only administrators should have access to. Often, the intended end result of SQL injections is a complete takeover of the victim’s website.

• Cross-site request (XSS) forgery: This vulnerability involves hackers tricking users into visiting a site to unintentionally execute malicious commands. In the process, these users can have malicious files downloaded to their browser and have their inputted credentials intercepted by the attacker. Any part of the site that allows a user to input something such as a username/password field or a contact form can be vulnerable to XSS attacks if the site owner doesn’t check inputted information for malicious code.

These vulnerabilities affect site owners, and especially their users, by stealing and intercepting critical information such as usernames, passwords, credit card information, and much more. Essentially, for sites that are exposed to these two vulnerabilities due to an outdated installation of WP Fastest Cache, attackers would be able to perform any action a logged in administrator to that site is allowed to do.

After Jetpack contacted the plugin developer about the existence of the vulnerability on September 28, and their development team received a second opinion from the WordPress plugin team in early October, the developer released an update designed to fix the issues for any and all WP Fastest Cache users on October 11.

Update Your Plugins Today To Keep Your WordPress Site Secure

Keeping any plugins you have installed on your WordPress site updated with the latest versions ensures the site will remain as secure as possible. Many plugin developers are responsive to newly discovered vulnerabilities and exploits against their plugins and will release updates to address any and all issues found. Site owners using the WP Fastest Cache plugin for WordPress should immediately update their installment to the latest version—0.9.5 as of this writing—to protect their site against these newly discovered vulnerabilities.

Before you install a plugin, be sure to check what others are saying about it—particularly in regards to how secure it is. Regularly perform audits of the plugins you have previously installed and remove those you’re not using to mitigate potential security risks. Finally, make sure plugins you want to continue using are always updated to keep your device and your data as secure as possible

SiteLock Combats Against Website Vulnerabilities To Keep You Secure

SiteLock helps site owners secure their websites by quickly finding and fixing existing and potential threats and vulnerabilities. Equipped with strong security tools and solutions, our team of experts scan websites, patch vulnerabilities, remove malware, and more for top-tier clients who use and depend on web platforms such as WordPress, Joomla, Magento and more.

Here’s how SiteLock can help defend your website against modern cyberthreats:

• More secure connections: With a secure FTP-based connection, our clients see the highest levels of website security—and we never impact performance.

• Comprehensive site scans: In-depth server and site level scanning helps site owners identify malicious infections, vulnerabilities, and spam listings to optimize the user experience.

• Faster, automatic site fixes: Active infections to your website’s files and databases are quickly identified when they’re introduced, and automatically removed.

• Consistent, continuous site protection: Security threats and vulnerabilities from outdated implementations, themes, and plugins are consistently assessed and patched as new updates arrive.

There will always be new vulnerabilities exposed by curious programmers and malicious actors alike—make sure to stay informed and stay updated. Learn more about how SiteLock can secure it with best-in-class, automatic website threat protection.