Published:2021/04/27  Last Updated:2021/04/27

JVN#35240327
WordPress plugin "WP Fastest Cache" vulnerable to directory traversal

Overview

WordPress plugin "WP Fastest Cache" contains a directory traversal vulnerability.

Products Affected

  • WP Fastest Cache versions prior to 0.9.1.7

Description

WordPress plugin "WP Fastest Cache" provided by Emre Vona contains a directory traversal vulnerability (CWE-22).

Impact

Arbitrary files on the server may be deleted by a user with an administrative privilege.

Solution

Update the plugin
Update the plugin according to the information provided by the developer.

Vendor Status

Vendor Link
Emre Vona WP Fastest Cache
WP Fastest Cache Premium | The Fastest WordPress Cache Plugin

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Base Score: 3.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:P
Base Score: 5.5
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to JPCERT/CC, and JPCERT/CC coordinated with the developer for the publication.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20714
JVN iPedia JVNDB-2021-000034