New capability streamlines automated testing of cybersecurity and anti-fraud features in android and iOS apps in virtual and cloud testing suites. Read More
Related Posts
WP Fastest Cache Plugin Exposes Over 600K+ WordPress Sites to SQL Injection Attacks
WP Fastest Cache Plugin Exposes Over 600K+ WordPress Sites to SQL Injection Attacks
In a recent development, the WPScan team has unearthed a significant security flaw within the widely-used WP Fastest Cache plugin.
This vulnerability, categorized as an unauthenticated SQL injection, could potentially grant unauthorized access to sensitive data in the WordPress database.
The vulnerability, identified as CVE-2023-6063, affects versions of WP Fastest Cache lower than 1.2.2.
Upon making this discovery during an internal review, the team at WPScan acted swiftly to inform the plugin’s development team.
In response, the developers promptly released version 1.2.2 to address and rectify the issue.
Examining the vulnerability
The crux of the vulnerability lies in the is_user_admin function of the WpFastestCacheCreateCache class, which is susceptible to SQL injection.
This function is invoked from the createCache function, presenting a potential entry point for malicious actors.
Document
Protect Your Storage With SafeGuard
Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
Notably, the vulnerability is aggravated by the fact that the function is executed at plugin load time before the application’s data is sanitized by wp_magic_quotes().
To exploit this vulnerability, an unauthenticated attacker could manipulate the $username variable, obtained from a specific cookie, to inject a time-based blind SQL payload.
This could, in turn, lead to the extraction of sensitive information from the WordPress database.
Mitigation
Administrators utilizing WP Fastest Cache must take immediate action by updating their installations to version 1.2.2.
This update serves as a crucial safeguard against potential exploitation of the identified vulnerability.
WPScan plans to publish an entry on Nov. 27, 2023, for further details and proof-of-concept illustrating this security concern.
Website administrators and users alike are advised to stay vigilant and informed about the latest security updates to ensure the integrity and security of their WordPress installations.
Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.
The post WP Fastest Cache Plugin Exposes Over 600K+ WordPress Sites to SQL Injection Attacks appeared first on Cyber Security News.
Cyber Security News
AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service
AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service
More details have emerged about a botnet called AVRecon, which has been observed making use of compromised small office/home office (SOHO) routers as part of a multi-year campaign active since at least May 2021.
AVRecon was first disclosed by Lumen Black Lotus Labs earlier this month as malware capable of executing additional commands and stealing victim’s bandwidth for what appears to be an Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Google: Gemini AI for Android processes sensitive data locally
Google: Gemini AI for Android processes sensitive data locally
Google says it is taking a privacy-minded approach to the integration of AI features like the Gemini assistant on Android devices, implementing end-to-end protection to secure data in transit while keeping the most sensitive data locally on the device. […] Read More