CSRF, XSS and SQLi vulnerabilities found in WP Fastest Cache plugin
Jetpack team at Automattic have discovered two vulnerabilities during the audit of the popular WP Fastest Cache plugin, these vulnerabilities are SQL injection and Stored XSS combined with CSRF (CVE-2021-24869). WP Fastest Cache is widely used to speed up and optimize WordPress sites.
According to the description, of the found issues, the most critical is the XSS (Cross-Site Scripting) via Cross-Site Request Forgery (CSRF) vulnerability. Exploitation of this issue allows to perform any action on behalf of the logged in admin, as well as uploading malicious JavaScript code on the site.
SQL Injection vulnerability allows to gain access to confidential information from the site’s database, such as user logins and passwords.
Build with corresponding fixes (0.9.5) was released on October 11th.
Source: anti-malware.ru
21 October 2021