CVE-2023-1924 in WP Fastest Cache Plugininfo

Summary

by MITRE • 04/06/2023

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfc_toolbar_save_settings_callback function. This makes it possible for unauthenticated attackers to change cache settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/09/2026

The WP Fastest Cache plugin represents one of the most widely used caching solutions for WordPress websites, designed to improve site performance by storing static versions of web pages. This particular vulnerability affects versions up to and including 1.1.2, making it a significant concern for thousands of WordPress installations that rely on this plugin for their caching infrastructure. The vulnerability stems from a fundamental flaw in the plugin's security implementation where proper nonce validation mechanisms are either absent or improperly implemented within the wpfc_toolbar_save_settings_callback function.

The technical nature of this Cross-Site Request Forgery vulnerability places it squarely within the scope of CWE-352, which specifically addresses CSRF weaknesses in web applications. The flaw manifests when the plugin fails to validate nonce tokens that should be present in all administrative requests to prevent unauthorized modifications to site settings. Without proper nonce validation, an attacker can craft malicious requests that appear to originate from legitimate administrative sessions, exploiting the trust relationship between the WordPress admin interface and the plugin's settings management functions.

The operational impact of this vulnerability extends beyond simple cache configuration changes, as it provides attackers with the ability to manipulate critical caching parameters that directly affect website performance, security posture, and user experience. An attacker who successfully exploits this vulnerability could potentially disable caching entirely, modify cache expiration times, or even redirect cached content to malicious endpoints. The fact that this vulnerability affects unauthenticated attackers means that no prior access to the WordPress admin panel or valid credentials are required to attempt exploitation, making it particularly dangerous for sites with active administrators who might be tricked into clicking malicious links.

The attack vector relies heavily on social engineering techniques where administrators are tricked into clicking on malicious links or visiting compromised websites that contain embedded CSRF payloads. This method of exploitation aligns with ATT&CK technique T1566, which covers social engineering methods such as spearphishing and link manipulation. The vulnerability's presence in the toolbar save settings callback function suggests that attackers could potentially compromise settings through various user interaction points within the WordPress admin interface, making the attack surface broader than initially apparent.

Organizations should immediately update to the latest version of the WP Fastest Cache plugin where this vulnerability has been addressed through proper nonce validation implementation. Security teams should also implement additional monitoring for unauthorized changes to caching configurations and consider implementing additional security layers such as web application firewalls that can detect and block suspicious administrative requests. The vulnerability highlights the critical importance of proper input validation and authentication mechanisms in WordPress plugins, particularly those that modify core site functionality and performance parameters.

Responsible

Wordfence

Reservation

04/06/2023

Disclosure

04/06/2023

Moderation

accepted

CPE

ready

EPSS

0.00227

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!