Take a closer look at Iran’s state-sponsored hacking groups
Movers and shakers
OWASP stirs up web app threat categories in 2021
Software supply chain attacks – everything you need to know
North Korean cyber-threat groups become top-tier adversaries
Machine learning security vulnerabilities are a growing threat
Bug Bounty Radar
The latest programs for October 2021
A schedule of events in 2021 and beyond
Fastest Cache is used by more than one million websites
Vulnerabilities in a popular WordPress plugin Fastest Cache could allow an attacker to gain access to credentials and takeover an admin account.
The security flaws in the extension, which has more than one million active downloads, were discovered during an internal audit of the software by Jetpack Security.
The first flaw, an SQL injection vulnerability which has a CVSS score of 7.7, could grant attackers access to privileged information from an affected site’s database, for example usernames and hashed passwords.
This SQL injection bug can only be exploited if the classic-editor plugin is also installed and activated on the site.
Researchers also found a cross-site scripting (XSS) bug via a cross-site request forgery (CSRF) flaw that has a CVSS score of 9.6. Exploitation of this vulnerability would allow an attacker to perform the same actions as their victim, potentially an admin user, had privileges to enact.
In a blog post, the researchers from Jetpack provided more technical detail on how they were able to demonstrate the attacks. They credited researcher Marc Montpas with the original finding.
A timeline also showed that it took less than five weeks from initial contact with the vendor for them to fix the issue.
Fastest Cache users are urged to update to the latest version 0.9.5 to protect against these various vulnerabilities.
“We recommend that you check which version of the WP Fastest Cache plugin your site is using, and if it is less than 0.9.5, update it as soon as possible!” the blog reads.
YOU MAY LIKE Git providers revoke weak keys generated in vulnerable GitKraken crypto library
© 2021 PortSwigger Ltd.