Login
24 Jul 2023

AI Helps to Detect Expansion of Vulnerability in 1+ Million Install WordPress Plugin

Earlier this year, we noted how a machine learning (artificial intelligence (AI)) based system we have, had helped to detect a vulnerability being introduced in to a 1+ million install WordPress plugin. That came after the system had already help to catch undisclosed attempts to fix vulnerabilities in WordPress plugins, which have failed to fix the vulnerabilities, including in another 1+ million install plugin. In the latest detection of a vulnerability in a 1+ million install plugin by the system, the vulnerability already existed, but the system correctly flagged it as the change being made expanded the impact of the vulnerability. That vulnerability being an authenticated setting change vulnerability in the plugin WP Fastest Cache.

We only run changes being made to plugins being used by our customers and 1+ million install plugins through that system, so if you are not using our service, plugins you use are likely missing out on that security measure.

Authenticated Settings Change

Several days ago a change was made to the plugin, which was described as “to add sitemap feature for preload”. In the file /inc/preload.php, one of the changes made then involved adding this code to the function set_preload():

21
22
23
24
25
26
27
28
29
30
31

			if(isset($_POST["wpFastestCachePreload_sitemap"]) && $_POST["wpFastestCachePreload_sitemap"]){
			$sitemap_url = explode(",", $_POST["wpFastestCachePreload_sitemap"]);
			$sitemap_arr = array();
 
			foreach ($sitemap_url as $s_key => $s_value) {
				$s_value = esc_url($s_value);
 
				array_push($sitemap_arr, array("url" => $s_value, "pointer" => 0));
			}
 
			$preload_arr["sitemaps"] = $sitemap_arr;

The code before that in the function doesn’t include either a capabilities check or a nonce check, which prevents cross-site request forgery (CSRF):

17
18
19
20

public static function set_preload($slug){
	$preload_arr = array();
 
	if(!empty($_POST) && isset($_POST["wpFastestCachePreload"])){

Later in the code, the sitemap preload setting changed with the above code and an existing setting changed with code right below it, are saved:

101

update_option("WpFastestCachePreLoad", json_encode($preload_std));

That function gets indirectly called by the function deleteCache()

1746
1747
1748
1749
1750
1751
1752
1753
1754
1755

public function deleteCache($minified = false){
	if($varnish_datas = get_option("WpFastestCacheVarnish")){
		include_once('inc/varnish.php');
		VarnishWPFC::purge_cache($varnish_datas);
	}
 
	include_once('inc/cdn.php');
	CdnWPFC::cloudflare_clear_cache();
 
	$this->set_preload();
1865
1866
1867

public function set_preload(){
	include_once('inc/preload.php');
	PreloadWPFC::set_preload($this->slug());

That function in turn is called in various situations. That includes when making several types of changes to posts. That happens through the function on_all_status_transitions() in the file /wpFastestCache.php. The implication of that is that users down to the Author-level are allowed to change settings that are only intended to be changed by Administrators.

WordPress Causes Full Disclosure

As a protest of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.)

You can notify the developer of this issue on the forum as well.

After four years, the moderators have finally tacitly admitted they were behaving inappropriately and have made moves to fix the problems (though incompletely), so these full disclosures can be ended if they simply restore access to our accounts and plugins in the Plugin Directory. Hopefully that takes less than four years.

Proof of Concept

This proof of concept requires the latest trunk version of the plugin, as the change hasn’t been added to the production version (the existing setting in the function can be changed by slightly modifying the proof of concept).

Enable the Update Post setting of the plugin.

When updating a post as user with the Author role, add the following POST parameters to the update request:

wpFastestCachePreload:true
wpFastestCachePreload_sitemap:http://proofofconcept.com/sitemap.xml

Checking the contents of the WordPress option WpFastestCachePreLoad will show the specified sitemap file has been added to it.

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Plugin Security Scorecard Grade for WP Fastest Cache

Checked on February 28, 2025
B

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published.