What the vulnerability does
01Description
The WP Fastest Cache Premium plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The free version is not affected.
Explanation of Vulnerability in Simple Terms
02Summary
WP Fastest Cache Premium versions up to 1.7.4 lack proper authorization checks, allowing authenticated users with low privileges to modify site settings they should not access. The vulnerability requires network access and an active user account but no additional user interaction. Scope is changed, meaning the impact extends beyond the vulnerable component itself.
What an attacker can do
03Attacker Capabilities
Modify site settings or configuration that should be restricted to higher-privilege users.
Potential impact on your site
04Site Impact
Low-privilege users (subscribers, contributors) can alter plugin settings intended only for administrators.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the WordPress site; network access required.
Key dates
06Disclosure timeline
December 12, 2025
CVE published
April 15, 2026
Record updated