CVE-2023-1920 in WP Fastest Cache Plugininfo

Summary

by MITRE • 04/06/2023

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfc_purgecache_varnish_callback function. This makes it possible for unauthenticated attackers to purge the varnish cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/09/2026

The WP Fastest Cache plugin represents a widely used caching solution for wordpress environments, designed to improve website performance by storing static versions of web pages. This particular vulnerability exists within version 1.1.2 and earlier releases, creating a significant security risk for wordpress installations that rely on this plugin for cache management. The vulnerability stems from inadequate security controls within the plugin's administrative functions, specifically affecting the wpfc_purgecache_varnish_callback endpoint which handles cache purging operations for varnish cache systems. The flaw allows attackers to manipulate the cache purging functionality without proper authentication, potentially disrupting website availability and performance.

The technical implementation of this cross-site request forgery vulnerability occurs through the absence of proper nonce validation mechanisms within the wpfc_purgecache_varnish_callback function. Nonces serve as cryptographic tokens that verify the authenticity of administrative actions and prevent unauthorized operations. When these validation checks are missing or improperly implemented, malicious actors can construct forged requests that appear legitimate to the wordpress administration interface. The vulnerability specifically targets the varnish cache purging functionality, which is typically restricted to authenticated administrators but becomes accessible through crafted cross-site requests. This represents a classic csrf attack vector where the attacker leverages the victim's authenticated session to execute unauthorized administrative commands.

The operational impact of this vulnerability extends beyond simple cache manipulation, potentially affecting website availability and performance metrics. When an authenticated administrator inadvertently triggers a forged request, the varnish cache gets purged, which can cause temporary service degradation as the cache rebuilds. Attackers could exploit this vulnerability to repeatedly purge caches, creating denial of service conditions that impact user experience and potentially affecting website search engine rankings. The vulnerability also poses risks to website security posture, as cache purging can expose previously cached sensitive information or create inconsistencies in website content delivery. Additionally, the attack requires minimal technical expertise to execute, making it particularly dangerous for wordpress sites that may not have robust security monitoring in place.

Organizations should immediately upgrade to the latest version of the WP Fastest Cache plugin where this vulnerability has been addressed through proper nonce validation implementation. The fix typically involves adding appropriate wp_verify_nonce checks to verify that administrative requests originate from legitimate sources within the wordpress administration interface. Security teams should also implement additional monitoring for unusual cache purging activities and consider implementing web application firewalls that can detect and block suspicious csrf patterns. Network administrators should review access controls and ensure that only authorized personnel have administrative privileges to prevent exploitation. This vulnerability aligns with CWE-352, which specifically addresses cross-site request forgery weaknesses in web applications, and represents a common attack pattern documented in the attack tactics and techniques knowledge base. The remediation process should include comprehensive testing to ensure that the nonce validation does not introduce compatibility issues with existing administrative workflows while maintaining the security controls necessary to prevent unauthorized cache purging operations.

Responsible

Wordfence

Reservation

04/06/2023

Disclosure

04/06/2023

Moderation

accepted

CPE

ready

EPSS

0.00227

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!