cbcvebase.
CVE-2020-36836
published 2024-10-16

CVE-2020-36836: The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized arbitrary file deletion in versions up to, and including, 0.9.0.2 due to a lack of…

PriorityP275high8.1CVSS 3.1
AVNACLPRLUINSUCNIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.37%
68.4th percentile
The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized arbitrary file deletion in versions up to, and including, 0.9.0.2 due to a lack of capability checking and insufficient path validation. This makes it possible for authenticated users with minimal permissions to delete arbitrary files from the server.

Affected

2 ranges
VendorProductVersion rangeFixed in
emrevonawp_fastest_cache_wordpress_cache_plugin< 0.9.0.30.9.0.3
wpfastestcachewp_fastest_cache< 0.9.0.30.9.0.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?path=/../../../wp-content/plugins/wp-fastest-cache/languages
path/wp-content/plugins/wp-fastest-cache/
commandaction=wpfc_delete_current_page_cache
  • Look for POST requests to /wp-admin/admin-ajax.php with a 'path' query parameter containing directory traversal sequences (e.g., /../../../) and the POST body containing action=wpfc_delete_current_page_cache
  • A successful exploitation response will contain both 'The cache of page has been cleared' and 'success' in the response body with HTTP 200
  • Confirm plugin presence by checking for HTTP 200 on GET /wp-content/plugins/wp-fastest-cache/ before exploitation attempts
  • After exploitation, the targeted path returns HTTP 404, confirming successful arbitrary file/directory deletion
  • ·Exploitation requires authentication — the attacker must first obtain a valid WordPress session cookie (wordpress_logged_in) via /wp-login.php before sending the malicious admin-ajax.php request
  • ·The vulnerability affects only WP Fastest Cache versions up to and including 0.9.0.2; version 0.9.0.3 and later are patched
  • ·Minimal WordPress permissions are sufficient for exploitation — capability checking is absent in the vulnerable versions

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
vulncheck8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.