Platform
wordpress
Component
wp-fastest-cache
Fixed in
1.2.7
CVE-2024-4347 is an Arbitrary File Access vulnerability affecting the WP Fastest Cache plugin for WordPress. This vulnerability allows authenticated attackers to delete arbitrary files on the server, potentially leading to complete site compromise or impacting other sites on shared hosting environments. The vulnerability impacts versions of WP Fastest Cache up to and including 1.2.6. A patch is available; upgrade to a fixed version to remediate the issue.
The primary impact of CVE-2024-4347 is the ability for an authenticated attacker to delete arbitrary files on the server hosting the WordPress site. This includes critical configuration files like wp-config.php, which contains database credentials and other sensitive information. Successful exploitation could lead to complete site takeover, data exfiltration, and denial of service. In shared hosting environments, the vulnerability poses a significant risk to other tenants, as an attacker could potentially delete files belonging to other websites hosted on the same server. The ease of exploitation, combined with the widespread use of WordPress and shared hosting, makes this a high-impact vulnerability.
CVE-2024-4347 was publicly disclosed on May 23, 2024. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the prevalence of WordPress make it a likely target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and the availability of the plugin.
Exploit Status
EPSS
5.50% (90% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-4347 is to upgrade the WP Fastest Cache plugin to a version newer than 1.2.6, where the vulnerability has been addressed. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider restricting file access permissions on the server to limit the potential damage from a successful attack. Implement a Web Application Firewall (WAF) with rules to block requests targeting the specificDeleteCache function with potentially malicious parameters. Regularly review WordPress plugin installations and remove any unused or outdated plugins to reduce the attack surface. After upgrading, confirm the fix by attempting to access the specificDeleteCache function with a deliberately invalid file path; it should return an error instead of deleting the file.
Actualice el plugin WP Fastest Cache a la última versión disponible. La vulnerabilidad que permite el borrado arbitrario de archivos se ha corregido en versiones posteriores a la 1.2.6.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-4347 is a vulnerability in WP Fastest Cache versions up to 1.2.6 that allows authenticated attackers to delete arbitrary files on the server, potentially compromising the site or shared hosting environment.
You are affected if you are using WP Fastest Cache version 1.2.6 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade the WP Fastest Cache plugin to a version newer than 1.2.6. If upgrading is not immediately possible, implement temporary mitigations like restricting file access permissions and using a WAF.
There is currently no confirmed active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the WP Fastest Cache official website and WordPress plugin directory for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.