CVE-2024-4347: Arbitrary File Access in WP Fastest Cache
Platform
wordpress
Component
wp-fastest-cache
Fixed in
1.2.7
CVE-2024-4347 is an Arbitrary File Access vulnerability affecting the WP Fastest Cache plugin for WordPress. This vulnerability allows authenticated attackers to delete arbitrary files on the server, potentially leading to complete site compromise or impacting other sites on shared hosting environments. The vulnerability impacts versions of WP Fastest Cache up to and including 1.2.6. A patch is available; upgrade to a fixed version to remediate the issue.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The primary impact of CVE-2024-4347 is the ability for an authenticated attacker to delete arbitrary files on the server hosting the WordPress site. This includes critical configuration files like wp-config.php, which contains database credentials and other sensitive information. Successful exploitation could lead to complete site takeover, data exfiltration, and denial of service. In shared hosting environments, the vulnerability poses a significant risk to other tenants, as an attacker could potentially delete files belonging to other websites hosted on the same server. The ease of exploitation, combined with the widespread use of WordPress and shared hosting, makes this a high-impact vulnerability.
Exploitation Context
CVE-2024-4347 was publicly disclosed on May 23, 2024. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the prevalence of WordPress make it a likely target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and the availability of the plugin.
Threat Intelligence
Exploit Status
EPSS
5.50% (90% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- High — admin or privileged account required to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Package Information
- Active installs
- 1.0MKnown
- Plugin rating
- 4.9
- Requires WordPress
- 5.7+
- Compatible up to
- 7.0
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2024-4347 is to upgrade the WP Fastest Cache plugin to a version newer than 1.2.6, where the vulnerability has been addressed. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider restricting file access permissions on the server to limit the potential damage from a successful attack. Implement a Web Application Firewall (WAF) with rules to block requests targeting the specificDeleteCache function with potentially malicious parameters. Regularly review WordPress plugin installations and remove any unused or outdated plugins to reduce the attack surface. After upgrading, confirm the fix by attempting to access the specificDeleteCache function with a deliberately invalid file path; it should return an error instead of deleting the file.
How to fix
Actualice el plugin WP Fastest Cache a la última versión disponible. La vulnerabilidad que permite el borrado arbitrario de archivos se ha corregido en versiones posteriores a la 1.2.6.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2024-4347 — Arbitrary File Access in WP Fastest Cache?
CVE-2024-4347 is a vulnerability in WP Fastest Cache versions up to 1.2.6 that allows authenticated attackers to delete arbitrary files on the server, potentially compromising the site or shared hosting environment.
Am I affected by CVE-2024-4347 in WP Fastest Cache?
You are affected if you are using WP Fastest Cache version 1.2.6 or earlier. Check your plugin version and upgrade immediately if necessary.
How do I fix CVE-2024-4347 in WP Fastest Cache?
Upgrade the WP Fastest Cache plugin to a version newer than 1.2.6. If upgrading is not immediately possible, implement temporary mitigations like restricting file access permissions and using a WAF.
Is CVE-2024-4347 being actively exploited?
There is currently no confirmed active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Where can I find the official WP Fastest Cache advisory for CVE-2024-4347?
Refer to the WP Fastest Cache official website and WordPress plugin directory for the latest security advisories and updates.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.