Login

Tag Archives: WP Fastest Cache

Plugin Security Scorecard Grade for WP Fastest Cache

Checked on February 28, 2025
B

See issues causing the plugin to get less than A+ grade

10 Nov 2023

Developer of WP Fastest Cache Obliquely Discloses SQL Injection Vulnerability, Fix Isn’t Generally Available

Yesterday, the developer of the 1+ million install WordPress plugin WP Fastest Cache committed a change to the plugin in the Subversion repository underlying the WordPress Plugin Directory that fixed a SQL injection vulnerability. Unfortunately, they haven’t released a new version of the plugin that makes the fix available to the public. If hackers haven’t already realized what is at issue, it shouldn’t take them long.

The commit message for the update was “Security Enhancements”, which suggests a vulnerability could have been fixed. Our machine learning (artificial intelligence (AI)) based system for catching fix vulnerabilities being fixed in updates to WordPress plugins flagged the change as fixing a vulnerability. Could hackers have a similar system? Who knows, but it isn’t too complicated to create what we have, so we wouldn’t want to be they don’t. [Read more]

24 Jul 2023

AI Helps to Detect Expansion of Vulnerability in 1+ Million Install WordPress Plugin

Earlier this year, we noted how a machine learning (artificial intelligence (AI)) based system we have, had helped to detect a vulnerability being introduced in to a 1+ million install WordPress plugin. That came after the system had already help to catch undisclosed attempts to fix vulnerabilities in WordPress plugins, which have failed to fix the vulnerabilities, including in another 1+ million install plugin. In the latest detection of a vulnerability in a 1+ million install plugin by the system, the vulnerability already existed, but the system correctly flagged it as the change being made expanded the impact of the vulnerability. That vulnerability being an authenticated setting change vulnerability in the plugin WP Fastest Cache.

We only run changes being made to plugins being used by our customers and 1+ million install plugins through that system, so if you are not using our service, plugins you use are likely missing out on that security measure. [Read more]

20 Feb 2019

Vulnerability Details: Arbitrary Directory Deletion Vulnerability in WP Fastest Cache

One of the changelog entries for the latest version of WP Fastest Cache is “to fix cache deletion security issue of WP-PostRatings (CVE-2019-6726 by Sebastian Neef)”. That sounds a bit odd since it is referring to a security issue with another plugin, but looking at the development log we found two entries labeled “refactoring of wp_postratings_clear_fastest_cache” that explained what was at issue.

[Read more]

31 Oct 2018

Full Disclosure of CSRF/SSRF Vulnerability in WordPress Plugin With 800,000+ Installs

One of the impediments we see to improving security of WordPress plugins (as well as security in general) is that security journalist don’t provide a good picture of what is and isn’t going on, so others don’t understand what is actually needed to be done to improve the situation. One recent example comes from Catalin Cimpanu at ZDNet’s Zero Day blog who put forward this one sided (at best) portrayal of the handling of the security of WordPress plugins by the people on the WordPress side of things:

Campbell says the WordPress team has been collaborating with the authors of the most popular plugins on its Plugins repository. It’s been helping these plugins follow best coding practices. [Read more]

9 Oct 2018

Vulnerability Details: CSRF/XSS Vulnerability in WP Fastest Cache

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

[Read more]

2 Mar 2018

What Happened With WordPress Plugin Vulnerabilities in February 2018

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during February (and what you have been missing out on if you haven’t signed up yet): [Read more]

1 Dec 2017

What Happened With WordPress Plugin Vulnerabilities in November 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during November (and what you have been missing out on if you haven’t signed up yet): [Read more]

2 Nov 2017

Vulnerability Details: Cross-Site Request Forgery (CSRF) Vulnerability in WP Fastest Cache

One of the strangest experiences we have had with trying to get a vulnerability fixed involved the plugin WP Fastest Cache. After we had dug into the details that Wordfence failed to include when they disclosed a couple of vulnerabilities in that plugin, we noticed they had missed part of the vulnerabilities (which would be a good reason for them to fully disclose vulnerabilities so that others can catch that sort of problem). We then contacted the developer of the plugin to let them know about that and also let them know an additional issue that could be combined with that. We figured since they had fixed part of the issue that it would be easy to work with them to fix the additional issues we had identified. That turned out to not be the case. The problem had to do with part of the new vulnerability and the remaining issue from the others involving cross-site request forgery (CSRF), which involves causing someone else to take an action they didn’t intend to. That is admittedly a bit confusing since the person taking the action is allowed to do it they just don’t intend to.

[Read more]

20 Jun 2016

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in WP Fastest Cache

Recently in discussing Wordfence’s problematic practice of disclosing vulnerabilities, but only releasing partial details, in what appears to attempt to try to profit by being the only firewall provider who can protect against these, we mentioned that this practice makes it harder for other to review the vulnerabilities. That is important since we frequently find that vulnerabilites haven’t actually been fixed, they have only been partially fixed, or that the disclosure of one vulnerability will point the way to other vulnerabilities. When it comes Wordfence’s disclosures that concern already wasn’t a hypothetical. The first time they did that type of disclosure, with the Yoast SEO plugin, we found two related vulnerabilites that they had missed (which still have yet to be fixed).

Two more recent disclosures by Wordfence disclosed this way involved the WP Fastest Cache plugin. As we discussed in our post looking at the vulnerabilites, both vulnerabilites involved a situation where AJAX functions was accessible to any logged in users instead of just Administrator level users. This was fixed by checking if the the user making the request have the ability to manage_options. [Read more]