This top WordPress plugin has a major security flaw - and there's no fix yet

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
(Image credit: Shutterstock/monticello)

A popular plugin for the WordPress website builder appears to be carrying a major flaw that could allow threat actors to steal sensitive data from the website’s database. 

Research by Plugin Vulnerabilities, a platform that analyzes the security of WordPress plugins found that the developer of WP Fastest Cache (a WordPress plugin with more than a million installs) recently committed a change to the plugin in the Subversion repository underlying the WordPress Plugin Directory. This fix addressed an SQL injection vulnerability that allowed threat actors to run arbitrary SQL code on the website, effectively allowing them to read the contents of the WordPress database.

The researchers also created a proof of concept to confirm that the flaw can be abused in the wild.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Is there a fix?

The bad news was that, at publication time, the developer didn’t release a new version of the plugin, making the fix unavailable to the public. 

The latest version, at the time of writing, was 1.2.1, which is why the researchers suggested users disable the plugin, or manually replace it with something else, until a fix is available. However, the Fastest Cache website states version 1.2.2 to be the latest one, so it could be that the developer pushed the update live in the meantime. 

Unfortunately, there are practically no details in the changelog, with the developer only stating that certain “security enhancements” had been made, so it’s difficult to determine if the issue had been addressed or not. Plugin Vulnerabilities reached out to the developer Emre Vona to notify him of the flaw. 

There are also no details on the support forum. 

WordPress is generally considered a safe website builder, but among the thousands of plugins, both free and commercial, there are many that are flawed and are being used to compromise hundreds of websites, daily.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.