CVE-2023-49746: 
WordPress vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in the SpeedyCache WordPress plugin, affecting versions up to and including 1.1.2. The vulnerability was disclosed on December 4, 2023, and was assigned CVE-2023-49746. The affected software is the SpeedyCache – Cache, Optimization, Performance plugin developed by Softaculous Team (Patchstack, WPScan).

The vulnerability exists in the speedycache_create_test_cache() function and requires authenticated access at the subscriber level or above. The CVSS v3.1 base score ranges from 4.3 (MEDIUM) according to NIST to 4.9 (MEDIUM) according to Patchstack. The vulnerability is classified under CWE-918 (Server-Side Request Forgery) and allows attackers to make web requests to arbitrary locations originating from the web application (NVD, Patchstack).

The vulnerability enables authenticated attackers to query and modify information from internal services. This could allow malicious actors to find sensitive information of other services running on the system by executing website requests to arbitrary domains (Patchstack).

The vulnerability has been fixed in version 1.1.3 of the SpeedyCache plugin. Users are advised to update to version 1.1.3 or later to remove the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users update to a fixed version (Patchstack).