CVE-2023-1922 in WP Fastest Cache Plugininfo

Summary

by MITRE • 04/06/2023

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfc_pause_cdn_integration_ajax_request_callback function. This makes it possible for unauthenticated attackers to change cdn settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/09/2026

The WP Fastest Cache plugin represents a widely used caching solution for WordPress websites, designed to improve site performance by storing static versions of pages and reducing server load. This particular vulnerability affects versions up to and including 1.1.2, making it a significant concern for thousands of WordPress installations that rely on this plugin for their caching infrastructure. The vulnerability stems from a fundamental flaw in the plugin's security implementation, specifically within the wpfc_pause_cdn_integration_ajax_request_callback function which handles administrative operations related to CDN integration settings.

The technical flaw manifests as a complete absence of proper nonce validation within the affected function. Nonces serve as cryptographic tokens that verify the authenticity of administrative requests and prevent unauthorized modifications to critical system settings. In this case, the missing nonce validation creates a predictable and exploitable weakness that allows attackers to forge requests that appear legitimate to the WordPress administration system. The vulnerability specifically targets the CDN integration pause functionality, enabling attackers to modify CDN settings without proper authorization, which could severely impact website performance and security posture.

The operational impact of this Cross-Site Request Forgery vulnerability is substantial and multifaceted. An unauthenticated attacker can manipulate CDN settings through a carefully crafted forged request, potentially leading to complete service disruption, degraded performance, or even complete loss of CDN functionality for the affected website. The attack requires social engineering to trick administrators into clicking malicious links, but once successful, it allows attackers to make persistent changes to the site's caching configuration that can have long-term consequences for site availability and user experience. This vulnerability particularly affects websites that rely heavily on CDN services for content delivery and performance optimization.

This vulnerability maps directly to CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in software applications. The implementation failure in nonce validation represents a classic CSRF attack vector where the application fails to verify that requests originate from legitimate administrative users. From an ATT&CK framework perspective, this vulnerability aligns with T1213.002 (Data from Information Repositories) and T1078.004 (Valid Accounts: Cloud Accounts) as it allows attackers to manipulate system configurations and potentially gain deeper access to website administration capabilities. The vulnerability also relates to T1566.001 (Phishing: Spearphishing Attachment) as it typically requires social engineering to trick administrators into performing malicious actions.

Mitigation strategies should begin with immediate plugin updates to versions that include proper nonce validation and CSRF protection mechanisms. Administrators should also implement additional security measures including regular security audits, monitoring for unauthorized configuration changes, and maintaining up-to-date backups. Network-level protections such as web application firewalls can help detect and block suspicious requests, while security plugins that monitor for CSRF attacks can provide additional layers of defense. The most effective long-term solution involves ensuring all WordPress plugins maintain proper security hygiene through regular updates, security reviews, and adherence to established security best practices for handling administrative requests and validating user authenticity.

Responsible

Wordfence

Reservation

04/06/2023

Disclosure

04/06/2023

Moderation

accepted

CPE

ready

EPSS

0.00227

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!