Cross-Site Request Forgery vulnerability in the WP Fastest Cache plugin


The WP Fastest Cache plugin contains multiple vulnerabilities that can allow an attacker to delete all files on the Wordpress installation.

We discovered that the WP Fastest Cache plugin allowed users to delete files and directories. When doing so, the plugin did not check for and remove the text ../ in the path of the user controlled value. This would have allowed us to delete the entire WordPress installation, including any backups.


WARNING: This replication process is destructive, and is included for information purposes only. Do not follow these steps on a production system.

Ensure that WP Fastest Cache has been set up and enabled (including ticking Enable for Cache System).

Then set up a local copy (hostname temporarycopy.local in this example).

Create an HTML file containing the following code, and save it on your local drive:

    <form id="form" action="https://temporarycopy.local/wp-admin/admin-ajax.php?path=/../../../.." method="post">
    <input type="hidden" name="action" value="wpfc_delete_current_page_cache"/>

Log into WordPress, and then visit the HTML file you have just created. The entire website will be deleted.

Mitigation/further actions

Upgrade to version when it is released.

Advisory timeline

  1. 2020-01-28 – Reported to plugin author
  2. 2020-01-28 – Issue reported fixed and verified by Tradecraft
  3. 2020-02-05 – Advisory published


Base score 7.1
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity Low
Availability High


  • Severity
    High (base score 7.1)
  • Discovered by
    Glyn Wintle
  • Severity
  • Advisory ID
  • CVE
    (CVE not assigned)
  • Component/package
    WP Fastest Cache
  • Version and older versions
  • Published