Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

This top WordPress plugin has a major security flaw - and there's no fix yet

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS).

A popular plugin for the WordPress website builder appears to be carrying a major flaw that could allow threat actors to steal sensitive data from the website’s database. 

Research by Plugin Vulnerabilities, a platform that analyzes the security of WordPress plugins found that the developer of WP Fastest Cache (a WordPress plugin with more than a million installs) recently committed a change to the plugin in the Subversion repository underlying the WordPress Plugin Directory. This fix addressed an SQL injection vulnerability that allowed threat actors to run arbitrary SQL code on the website, effectively allowing them to read the contents of the WordPress database.

The researchers also created a proof of concept to confirm that the flaw can be abused in the wild.


Is there a fix?

The bad news was that, at publication time, the developer didn’t release a new version of the plugin, making the fix unavailable to the public. 

The latest version, at the time of writing, was 1.2.1, which is why the researchers suggested users disable the plugin, or manually replace it with something else, until a fix is available. However, the Fastest Cache website states version 1.2.2 to be the latest one, so it could be that the developer pushed the update live in the meantime. 

Unfortunately, there are practically no details in the changelog, with the developer only stating that certain “security enhancements” had been made, so it’s difficult to determine if the issue had been addressed or not. Plugin Vulnerabilities reached out to the developer Emre Vona to notify him of the flaw. 

There are also no details on the support forum. 

WordPress is generally considered a safe website builder, but among the thousands of plugins, both free and commercial, there are many that are flawed and are being used to compromise hundreds of websites, daily.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.