Microsoft Patches 61 Flaws, Including Two Actively Exploited Zero-Days
Microsoft has addressed a total of 61 new security flaws in its software as part of its Patch Tuesday updates for May 2024, including two zero-days which have been actively exploited in the wild.
Of the 61 flaws, one is rated Critical, 59 are rated Important, and one is rated Moderate in severity. This is in addition to 30 vulnerabilities& Read More
WP Fastest Cache Plugin Exposes Over 600K+ WordPress Sites to SQL Injection Attacks
In a recent development, the WPScan team has unearthed a significant security flaw within the widely-used WP Fastest Cache plugin.
This vulnerability, categorized as an unauthenticated SQL injection, could potentially grant unauthorized access to sensitive data in the WordPress database.
The vulnerability, identified as CVE-2023-6063, affects versions of WP Fastest Cache lower than 1.2.2.
Upon making this discovery during an internal review, the team at WPScan acted swiftly to inform the plugin’s development team.
In response, the developers promptly released version 1.2.2 to address and rectify the issue.
Examining the vulnerability
The crux of the vulnerability lies in the is_user_admin function of the WpFastestCacheCreateCache class, which is susceptible to SQL injection.
This function is invoked from the createCache function, presenting a potential entry point for malicious actors.
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
Notably, the vulnerability is aggravated by the fact that the function is executed at plugin load time before the application’s data is sanitized by wp_magic_quotes().
To exploit this vulnerability, an unauthenticated attacker could manipulate the $username variable, obtained from a specific cookie, to inject a time-based blind SQL payload.
This could, in turn, lead to the extraction of sensitive information from the WordPress database.
Mitigation
Administrators utilizing WP Fastest Cache must take immediate action by updating their installations to version 1.2.2.
This update serves as a crucial safeguard against potential exploitation of the identified vulnerability.
WPScan plans to publish an entry on Nov. 27, 2023, for further details and proof-of-concept illustrating this security concern.
Website administrators and users alike are advised to stay vigilant and informed about the latest security updates to ensure the integrity and security of their WordPress installations.
Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.
Fraud researchers impersonated on X to push crypto-stealing sites
Multiple fake accounts impersonating cryptocurrency scam investigators and blockchain security companies are promoting phishing pages to drain wallets in an ongoing campaign on X (former Twitter). […] Read More
Addressing the State of AI’s Impact on Cyber Disinformation/Misinformation
By embracing a strategy that combines technological advancements with critical thinking skills, collaboration, and a culture of continuous learning, organizations can safeguard against AI’s disruptive effects.