The Jetpack Scan team has published a summary of two issues recently discovered in the WP Fastest Cache plugin – an Authenticated SQL Injection vulnerability and a Stored XSS Via CSRF vulnerability.
“If exploited, the SQL Injection bug could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords),” Automattic security research engineer Marc Montpas said. This particular vulnerability can only be exploited on sites where the Classic Editor plugin is both installed and activated.
WP Fastest Cache is active on more than 1 million WordPress sites, and the plugin also reports 58,322 paid users. Emre Vona, the plugin’s author, patched the vulnerabilities in version 0.9.5, released this week. Jetpack recommends users update as soon as possible, as both vulnerabilities have a high technical impact if exploited.