CVE-2023-1930 in WP Fastest Cache Plugin
Summary
by MITRE • 04/07/2023
The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the wpfc_clear_cache_of_allsites_callback function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers with subscriber-level access to delete caches.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/09/2026
The WP Fastest Cache plugin represents one of the most widely used caching solutions for WordPress environments, designed to improve website performance by storing static versions of web pages. This particular vulnerability exists within the plugin's architecture where the wpfc_clear_cache_of_allsites_callback function fails to properly validate user capabilities before executing cache deletion operations. The flaw specifically affects versions up to and including 1.1.2, creating a persistent security risk for WordPress installations that rely on this caching mechanism.
The technical implementation of this vulnerability stems from a critical missing capability check within the plugin's core functionality. When an authenticated user accesses the cache clearing functionality, the system should verify that the user possesses sufficient privileges to perform such operations. However, the wpfc_clear_cache_of_allsites_callback function operates without proper authorization verification, allowing any authenticated user regardless of their role level to trigger cache deletion. This represents a direct violation of the principle of least privilege and demonstrates poor access control implementation that aligns with CWE-284 access control weaknesses.
The operational impact of this vulnerability extends beyond simple cache disruption, as it provides attackers with a method to systematically degrade website performance and potentially interfere with legitimate user experiences. An attacker with subscriber-level access can repeatedly clear caches, forcing the server to regenerate cached content and resulting in increased resource consumption and slower response times. This vulnerability also creates potential for more sophisticated attacks where cache manipulation could be used as part of a broader exploitation strategy. The attack surface is particularly concerning given that subscriber accounts are often easier to obtain through social engineering or credential compromise compared to higher-privilege accounts.
From a security framework perspective, this vulnerability directly relates to ATT&CK technique T1499.001 which covers unauthorized data deletion and ATT&CK technique T1566 which involves credential harvesting. The weakness also maps to CWE-352 Cross-Site Request Forgery (CSRF) and CWE-284 Improper Access Control, demonstrating how multiple security principles have been violated. Organizations using this plugin face significant risk as attackers can leverage this vulnerability to cause service disruption while maintaining persistence through low-privilege accounts. The impact is particularly severe in high-traffic environments where cache clearing operations can cause cascading performance issues across multiple website functions.
Mitigation strategies should prioritize immediate plugin updates to versions that address this capability check deficiency, as this represents the most direct and effective solution. Administrators should also implement additional monitoring of cache clearing activities to detect unauthorized usage patterns and consider role-based access restrictions that limit cache management functions to trusted administrator accounts. Network-level security controls such as web application firewalls can provide additional protection by monitoring for suspicious cache manipulation requests. Regular security audits should include verification that all WordPress plugins properly implement access controls and capability checks, with particular attention to functions that modify system state or data. Organizations should also consider implementing automated patch management processes to ensure timely updates of all WordPress components and reduce exposure windows for known vulnerabilities.