Description
The WP Fastest Cache Premium plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The free version is not affected.
Published: 2025-12-12
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch
AI Analysis

Impact

The WP Fastest Cache Premium plugin for WordPress contains a flaw in the "get_server_time_ajax_request" AJAX action that fails to enforce proper authorization checks. As a result, authenticated users with Subscriber-level access or higher may trigger the action to cause the server to issue HTTP requests to any target URL, potentially exfiltrating sensitive data or modifying internal services. The vulnerability leverages server‑side request forgery to allow attackers to probe or manipulate internal network resources without needing elevated privileges beyond a legitimate subscription role.

Affected Systems

All installations of WP Fastest Cache Premium version 1.7.4 or earlier are affected; the free edition is not impacted. The flaw exists in WordPress sites that have the plugin enabled and have users with Subscriber or higher roles.

Risk and Exploitability

The CVSS score of 3.5 indicates a low to moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Because the attack requires an authenticated session, the likely vector involves a user who has logged in and runs a script that calls the vulnerable AJAX endpoint. While the issue does not provide remote code execution, it can lead to data disclosure or modification of internal services, which may have significant operational impact.

Generated by OpenCVE AI on April 20, 2026 at 16:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official release of WP Fastest Cache Premium to incorporate the vendor's authorization fix, if available.
  • If an immediate update is not feasible, block or disable the get_server_time_ajax_request AJAX action for all users except those explicitly allowed, for example by adding a server‑side whitelist or using a plugin that restricts endpoint access.
  • Implement outbound request filtering or firewall rules to prevent the WordPress server from accessing internal network addresses or sensitive domains, reducing the potential impact of any remaining SRSF capability.

Generated by OpenCVE AI on April 20, 2026 at 16:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The WP Fastest Cache plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The WP Fastest Cache Premium plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The free version is not affected.
References

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Emrevona
Emrevona wp Fastest Cache
Wordpress
Wordpress wordpress
Vendors & Products Emrevona
Emrevona wp Fastest Cache
Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 07:30:00 +0000

Type Values Removed Values Added
Description The WP Fastest Cache plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title WP Fastest Cache Premium <= 1.7.4 - Missing Authorization to Authenticated (Subscriber+) Blind Server-Side Request Forgery
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Emrevona Wp Fastest Cache
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-15T13:53:27.464Z

Reserved: 2025-09-16T20:02:55.540Z

Link: CVE-2025-10583

cve-icon Vulnrichment

Updated: 2025-12-12T20:49:01.769Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T08:15:47.103

Modified: 2026-04-15T15:16:40.627

Link: CVE-2025-10583

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:45:11Z

Weaknesses