BleepingComputer reports that more than 600,000 WordPress sites could have their databases compromised through the exploitation of a high-severity SQL injection vulnerability impacting the WP Fastest Cache plugin.
All WP Fastest Cache plugin versions earlier than 1.2.1 are affected by the flaw, tracked as CVE-2023-6063, which is an issue within a functionality of the plugin's "WpFastestCacheCreateCache" class that hinders the sanitization of "$username" input, a report from Automattic's WPScan team showed.
Attackers could leverage the unsanitized value to facilitate SQL query modifications and unauthorized access to databases, which contain sensitive user information, plugin and theme configuration settings, account credentials, and other site information, according to researchers.
Immediate remediation of the flaws with the updated version of the plugin has been urged prior to WPScan's release of a proof-of-concept exploit on Nov. 27.
WPScan did note that the flaw could be easily leveraged in attacks even without the PoC code.