Skip to main content

WP Fastest Cache CVE-2020-36836

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2024-10-16 security@wordfence.com
8.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.0 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Apr 08, 2026 - 18:22 nvd
Patch available
PoC Detected
Apr 08, 2026 - 18:17 vuln.today
Public exploit code
CVE Published
Oct 16, 2024 - 07:15 nvd
HIGH 8.0

DescriptionCVE.org

The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized arbitrary file deletion in versions up to, and including, 0.9.0.2 due to a lack of capability checking and insufficient path validation. This makes it possible for authenticated users with minimal permissions to delete arbitrary files from the server.

AnalysisAI

Arbitrary file deletion in the WP Fastest Cache WordPress plugin (versions up to and including 0.9.0.2) allows authenticated low-privileged users to remove arbitrary files from the underlying server due to missing capability checks and inadequate path validation. Publicly available exploit code exists, and the EPSS score of 43.15% (97th percentile) indicates a notably elevated exploitation probability relative to the broader CVE population. The flaw is tagged as CSRF (CWE-352), meaning the deletion action can also be triggered via a forged request against an authenticated victim.

Technical ContextAI

WP Fastest Cache is a widely deployed caching plugin for WordPress (CPE cpe:2.3:a:wpfastestcache:wp_fastest_cache) that generates and manages static cache files on the server filesystem. The plugin exposes administrative-style actions (typically cache invalidation/deletion routines) without enforcing WordPress capability checks (current_user_can) and without validating or canonicalizing user-supplied path parameters. Combined with the CWE-352 (Cross-Site Request Forgery) classification, the deletion endpoint also lacks nonce verification, so the same action can be coerced from an authenticated browser session via a crafted external page. The result is a path traversal-style arbitrary file deletion accessible to any logged-in user (e.g., Subscriber).

RemediationAI

Patch available per vendor advisory: upgrade WP Fastest Cache to a version newer than 0.9.0.2 via the WordPress plugin updater or by replacing the plugin files manually; consult the Wordfence advisory referenced in the CVE record for the exact fixed release. If immediate patching is not feasible, compensating controls include temporarily deactivating the WP Fastest Cache plugin (trade-off: loss of caching and a performance regression on the site), restricting wp-admin and admin-ajax.php access to known IP ranges via web server or WAF rules (trade-off: blocks legitimate remote administrators), and disabling new user self-registration in WordPress general settings to shrink the pool of low-privileged accounts that could abuse the endpoint (trade-off: blocks legitimate community signups). Also ensure file system permissions on wp-config.php and core files limit the WordPress process user's write/delete access where the hosting model allows.

CVE-2023-1938 HIGH POC
8.8 May 30

The WP Fastest Cache WordPress plugin before 1.1.5 does not have CSRF check in an AJAX action, and does not validate use

CVE-2023-6063 HIGH POC
7.5 Dec 04

The WP Fastest Cache WordPress plugin before 1.2.2 does not properly sanitise and escape a parameter before using it in

CVE-2019-6726 MEDIUM POC
6.5 Jul 29

The WP Fastest Cache plugin through 0.8.9.0 for WordPress allows remote attackers to delete arbitrary files because wp_p

CVE-2019-13635 CRITICAL
9.1 Jul 30

The WP Fastest Cache plugin through 0.8.9.5 for WordPress allows wpFastestCache.php and inc/cache.php Directory Traversa

CVE-2015-4089 HIGH
8.8 Sep 19

Multiple cross-site request forgery (CSRF) vulnerabilities in the optionsPageRequest function in admin.php in WP Fastest

CVE-2021-20714 MEDIUM
6.5 Apr 27

Directory traversal vulnerability in WP Fastest Cache versions prior to 0.9.1.7 allows a remote attacker with administra

CVE-2023-1929 MEDIUM
4.3 Apr 06

The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability ch

CVE-2023-1931 MEDIUM
4.3 Apr 06

The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on t

CVE-2023-1930 MEDIUM
4.3 Apr 06

The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check

CVE-2023-1928 MEDIUM
4.3 Apr 06

The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability ch

CVE-2023-1927 MEDIUM
4.3 Apr 06

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,

CVE-2023-1926 MEDIUM
4.3 Apr 06

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,

Share

CVE-2020-36836 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy