Popular WordPress caching plugin allows the attackers to gain access to user credentials and getting access to the admin accounts. The vulnerabilities of the plugin was discovered during an internal audit of Jetpack Security. The researchers from Jetpack provided more technical detail in a blog post. A demonstration of the attacks is also shown.
High CVSS scores
An SQL injection vulnerability with a CVSS score of 7.7 was the first flaw to be detected. It affects the database of the websites and could provide attackers with privileged information to the website, such as usernames and passwords that are hashed. However, this SQL injection bug could only be used and exploited if the website is using the classic-editor plugin actively.
WordPress Fastest Cache users are strongly advised to update to the latest version of 0.9.5, which has protection protocols against these various vulnerabilities.