Headline
CVE-2023-1375: Changeset 2893158 for wp-fastest-cache – WordPress Plugin Repository
The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized cache deletion in versions up to, and including, 1.1.2 due to a missing capability check in the deleteCacheToolbar function . This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete the site’s cache.
wp-fastest-cache/trunk/inc/admin-toolbar.php
r2889399
r2893158
12
12
add\_action('admin\_enqueue\_scripts', array($this, 'load\_toolbar\_js'));
13
13
add\_action('admin\_enqueue\_scripts', array($this, 'load\_toolbar\_css'));
14
add\_action('wp\_print\_scripts', array($this, 'print\_my\_inline\_script'));
14
15
}else{
15
16
if(is\_admin\_bar\_showing()){
wp-fastest-cache/trunk/inc/single-preload.php
r2689004
r2893158
68
68
type: 'POST',
69
69
url: ajaxurl,
70
data: {"action": "wpfc\_preload\_single\_save\_settings", "is\_enable": jQuery(this).val()},
70
data: {"action": "wpfc\_preload\_single\_save\_settings", "is\_enable": jQuery(this).val(), "nonce" : wpfc\_nonce},
71
71
dataType: "json",
72
72
cache: false,
…
…
257
257
type: 'GET',
258
258
url: ajaxurl,
259
data: {"action": "wpfc\_preload\_single", "url": url, "user\_agent": user\_agent},
259
data: {"action": "wpfc\_preload\_single", "url": url, "user\_agent": user\_agent, "nonce" : wpfc\_nonce},
260
260
dataType: "html",
261
261
timeout: 10000,
wp-fastest-cache/trunk/js/cdn/cdn.js
r2742479
r2893158
145
145
dataType: "json",
146
146
url: ajaxurl,
147
data : {"action": "wpfc\_start\_cdn\_integration", "id" : self.id},
147
data : {"action": "wpfc\_start\_cdn\_integration", "id" : self.id, "nonce" : self.nonce},
148
148
success: function(res){
149
149
self.show\_button("pause");
…
…
171
171
dataType: "json",
172
172
url: ajaxurl,
173
data : {"action": "wpfc\_pause\_cdn\_integration", "id" : self.id},
173
data : {"action": "wpfc\_pause\_cdn\_integration", "id" : self.id, "nonce" : self.nonce},
174
174
success: function(res){
175
175
self.show\_button("start");
…
…
198
198
dataType: "json",
199
199
url: ajaxurl,
200
data : {"action": "wpfc\_remove\_cdn\_integration", "id" : self.id},
200
data : {"action": "wpfc\_remove\_cdn\_integration", "id" : self.id, "nonce" : self.nonce},
201
201
success: function(res){
202
202
self.values = jQuery.grep(self.values, function (e, i) {
wp-fastest-cache/trunk/js/db.js
r2786430
r2893158
97
97
url: ajaxurl,
98
98
dataType : "json",
99
data : {"action": "wpfc\_db\_statics"},
99
data : {"action": "wpfc\_db\_statics", "nonce" : wpfc\_nonce},
100
100
cache: false,
101
101
success: function(data){
wp-fastest-cache/trunk/wpFastestCache.php
r2886944
r2893158
410
410
411
411
public function wpfc\_preload\_single\_callback(){
412
if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
413
die( 'Security check' );
414
}
415
412
416
include\_once('inc/single-preload.php');
413
417
SinglePreloadWPFC::create\_cache();
…
…
425
429
426
430
public function wpfc\_preload\_single\_save\_settings\_callback(){
431
if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
432
die( 'Security check' );
433
}
434
427
435
include\_once('inc/single-preload.php');
428
436
SinglePreloadWPFC::save\_settings();
…
…
503
511
504
512
public function wpfc\_db\_statics\_callback(){
513
if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
514
die( 'Security check' );
515
}
516
505
517
global $wpdb;
506
518
…
…
572
584
573
585
public function wpfc\_save\_cdn\_integration\_ajax\_request\_callback(){
586
if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'cdn-nonce')){
587
die( 'Security check' );
588
}
589
574
590
include\_once('inc/cdn.php');
575
591
CdnWPFC::save\_cdn\_integration();
…
…
577
593
578
594
public function wpfc\_start\_cdn\_integration\_ajax\_request\_callback(){
595
if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'cdn-nonce')){
596
die( 'Security check' );
597
}
598
579
599
include\_once('inc/cdn.php');
580
600
CdnWPFC::start\_cdn\_integration();
…
…
582
602
583
603
public function wpfc\_pause\_cdn\_integration\_ajax\_request\_callback(){
604
if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'cdn-nonce')){
605
die( 'Security check' );
606
}
607
584
608
include\_once('inc/cdn.php');
585
609
CdnWPFC::pause\_cdn\_integration();
…
…
587
611
588
612
public function wpfc\_remove\_cdn\_integration\_ajax\_request\_callback(){
613
if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'cdn-nonce')){
614
die( 'Security check' );
615
}
616
589
617
include\_once('inc/cdn.php');
590
618
CdnWPFC::remove\_cdn\_integration();
…
…
662
690
663
691
public function wpfc\_purgecache\_varnish\_callback(){
692
if(!wp\_verify\_nonce($\_REQUEST\["security"\], 'wpfc-varnish-ajax-nonce')){
693
die( 'Security check' );
694
}
695
664
696
if($varnish\_datas = get\_option("WpFastestCacheVarnish")){
665
697
include\_once('inc/varnish.php');
…
…
865
897
866
898
public function deleteCacheToolbar(){
899
if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
900
die( 'Security check' );
901
}
902
867
903
$this->deleteCache();
868
904
}
869
905
870
906
public function deleteCssAndJsCacheToolbar(){
907
if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
908
die( 'Security check' );
909
}
910
871
911
$this->deleteCache(true);
872
912
}
…
…
911
951
912
952
public function wpfc\_toolbar\_save\_settings\_callback(){
953
if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
954
die( 'Security check' );
955
}
956
913
957
if(current\_user\_can('manage\_options')){
914
958
if(is\_array($\_GET\["roles"\]) && !empty($\_GET\["roles"\])){
…
…
939
983
940
984
public function wpfc\_clear\_cache\_of\_allsites\_callback(){
985
986
if(defined('DOING\_AJAX') && DOING\_AJAX){
987
if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
988
die( 'Security check' );
989
}
990
}
991
941
992
include\_once('inc/cdn.php');
942
993
CdnWPFC::cloudflare\_clear\_cache();