CVE-2023-6063: 
WordPress vulnerability analysis and mitigation

The WP Fastest Cache WordPress plugin before version 1.2.2 contains an unauthenticated SQL injection vulnerability (CVE-2023-6063). The vulnerability was discovered during an internal review by the WPScan team and was disclosed on December 4, 2023. The plugin fails to properly sanitize and escape a parameter before using it in a SQL statement, making it exploitable by unauthenticated users (WPScan Blog, NVD).

The vulnerability exists in the isuseradmin function of the WpFastestCacheCreateCache class, which retrieves the $username variable from any cookie containing 'wordpressloggedin' in its name. The function extracts everything up to the first | character and inserts it into a SQL query without proper escaping. This occurs before wpmagicquotes() is called on the request data. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (High) and is classified as CWE-89 (SQL Injection) (WPScan Blog).

This vulnerability allows unauthenticated attackers to potentially read the full contents of the WordPress database using time-based blind SQL injection payloads. Since the vulnerability requires no authentication, it poses a significant risk to affected installations (WPScan Blog).

The vulnerability has been patched in version 1.2.2 of the WP Fastest Cache plugin. Website administrators are strongly advised to update to this version or later to protect against potential exploitation (WPScan Blog).