Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.WEB_APPLICATION_SCANNING_114027
HistorySep 13, 2023 - 12:00 a.m.

WP Fastest Cache Plugin for WordPress < 1.1.3 Multiple Vulnerabilities

2023-09-1300:00:00
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
7
wordpress
fastest cache plugin
vulnerabilities
nonce validation
capability checks
csrf

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.0%

JSON

The WordPress Fastest Cache Plugin installed on the remote host suffers from multiple vulnerabilities:

  • A nonce validation issue on the wpfc_preload_single_callback function leading to a Cross-Site Request Forgery (CSRF) vulnerability permitting attackers to invoke a cache building action (CVE-2023-1918)

  • A nonce validation issue on the wpfc_preload_single_callback function leading to a Cross-Site Request Forgery (CSRF) vulnerability permitting attackers to change cache related settings (CVE-2023-1919)

  • A nonce validation issue on the wpfc_purgecache_varnish_callback function leading to a Cross-Site Request Forgery (CSRF) vulnerability permitting attackers to purge the varnish cache via a forged request (CVE-2023-1920)

  • A nonce validation issue on the wpfc_start_cdn_integration_ajax_request_callback function leading to a Cross-Site Request Forgery (CSRF) vulnerability permitting attackers to change cdn settings via a forged request (CVE-2023-1921)

  • A nonce validation issue on the wpfc_pause_cdn_integration_ajax_request_callback function leading to a Cross-Site Request Forgery (CSRF) vulnerability permitting attackers to change cdn settings via a forged request (CVE-2023-1922)

  • A nonce validation issue on the wpfc_remove_cdn_integration_ajax_request_callback function leading to a Cross-Site Request Forgery (CSRF) vulnerability permitting attackers to change cdn settings via a forged request (CVE-2023-1923)

  • A nonce validation issue on the wpfc_toolbar_save_settings_callback function leading to a Cross-Site Request Forgery (CSRF) vulnerability permitting attackers to change cache related settings (CVE-2023-1924)

  • A nonce validation issue on the wpfc_clear_cache_of_allsites_callback function leading to a Cross-Site Request Forgery (CSRF) vulnerability permitting attackers to clear caches (CVE-2023-1925)

  • A nonce validation issue on the deleteCacheToolbar function leading to a Cross-Site Request Forgery (CSRF) vulnerability permitting attackers to delete caches (CVE-2023-1926)

  • A nonce validation issue on the deleteCssAndJsCacheToolbar function leading to a Cross-Site Request Forgery (CSRF) vulnerability permitting attackers to delete caches (CVE-2023-1927)

  • A missing capability check vulnerability on the wpfc_preload_single_callback function permitting attackers with subscriber-level access to initiate cache creation (CVE-2023-1928)

  • A missing capability check vulnerability on the wpfc_purgecache_varnish_callback function permitting attackers with subscriber-level access to initiate cache creation (CVE-2023-1929)

  • A missing capability check vulnerability on the wpfc_clear_cache_of_allsites_callback function permitting attackers with subscriber-level access to initiate cache creation (CVE-2023-1930)

  • A missing capability check vulnerability on the deleteCssAndJsCacheToolbar function permitting attackers with subscriber-level access to initiate cache creation (CVE-2023-1931)

Note that the scanner has not tested for these issues but has instead relied only on the application’s self-reported version number.

No source data
VendorProductVersionCPE
wpfastestcachewp_fastest_cache*cpe:2.3:a:wpfastestcache:wp_fastest_cache:*:*:*:*:*:wordpress:*:*

Related

openvas 1
wpvulndb 1
prion 14
cve 14
cvelist 14
nvd 14
wordfence 1
openvas
openvas
WordPress Fastest Cache Plugin < 1.1.3 Multiple Vulnerabilities
2023-06-07 00:00:00
wpvulndb
wpvulndb
WP Fatest Cache < 1.1.3 - Multiple CSRF
2023-04-06 00:00:00
prion
prion
Cross site request forgery (csrf)
2023-04-06 20:15:00
Cross site request forgery (csrf)
2023-04-06 20:15:00
Cross site request forgery (csrf)
2023-04-06 20:15:00
cve
cve
CVE-2023-1919
2023-04-06 20:15:08
CVE-2023-1925
2023-04-06 20:15:08
CVE-2023-1923
2023-04-06 20:15:08
cvelist
cvelist
CVE-2023-1918
2023-04-06 19:54:45
CVE-2023-1919
2023-04-06 19:55:18
CVE-2023-1923
2023-04-06 19:57:00
nvd
nvd
CVE-2023-1926
2023-04-06 20:15:08
CVE-2023-1919
2023-04-06 20:15:08
CVE-2023-1928
2023-04-06 21:15:07
wordfence
wordfence
Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 3, 2023 to Apr 9, 2023)
2023-04-13 12:03:39

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.0%

JSON
Related for WEB_APPLICATION_SCANNING_114027
openvas1wpvulndb1prion14cve14cvelist14nvd14wordfence1