WP-Safety

WP Fastest Cache – WordPress Cache Plugin Security & Risk Analysis

wordpress.org/plugins/wp-fastest-cache

The simplest and fastest WP Cache system

1.0M active installs v1.4.6 PHP + WP 5.3+ Updated Feb 10, 2026
cachecore-web-vitalsoptimizepagespeedperformance
76
B · Generally Safe
CVEs total35
Unpatched0
Last CVENov 26, 2025
Plugin page Download
Safety Verdict

Is WP Fastest Cache – WordPress Cache Plugin Safe to Use in 2026?

Mostly Safe

Score 76/100

WP Fastest Cache – WordPress Cache Plugin is generally safe to use. 35 past CVEs were resolved. Keep it updated.

35 known CVEsLast CVE: Nov 26, 2025Updated 1mo ago
Risk Assessment

The wp-fastest-cache plugin v1.4.6 presents a mixed security posture. While it demonstrates some good practices like a significant number of nonce and capability checks, concerns arise from the presence of unprotected AJAX handlers and a history of numerous vulnerabilities. The static analysis reveals a substantial attack surface with 8 out of 31 AJAX handlers lacking authentication checks, indicating a potential entry point for unauthorized actions. The use of `unserialize` is a critical red flag, as it can lead to severe security issues if not handled with extreme care and proper input validation. Furthermore, the low percentage of properly escaped output (21%) and prepared SQL statements (10%) suggests a higher risk of cross-site scripting (XSS) and SQL injection vulnerabilities respectively.

The plugin's vulnerability history is highly concerning, with 35 known CVEs, including 3 critical and 9 high-severity issues. The recurring types of vulnerabilities, such as SSRF, CSRF, missing authorization, path traversal, XSS, SQL injection, and RFI, point to systemic weaknesses in input validation and access control. The fact that all previously known vulnerabilities are currently patched is a positive sign, but the sheer volume and severity of past issues, with the last one being very recent (2025-11-26), suggest that the development team may struggle to maintain a consistently secure codebase. This history, combined with the identified code signals and attack surface, indicates that while immediate unpatched vulnerabilities are zero, the inherent risks associated with this version remain significant.

In conclusion, wp-fastest-cache v1.4.6 has notable strengths in its implementation of some security features. However, these are overshadowed by critical weaknesses such as unprotected AJAX endpoints, dangerous function usage, insufficient output escaping and SQL sanitization, and a historically problematic security track record. The potential for exploitation is heightened by these factors, and users should proceed with caution and ensure they are using the absolute latest version with all available patches applied. Continuous monitoring for new vulnerabilities is strongly advised.

Key Concerns

  • Unprotected AJAX handlers found
  • Use of dangerous function (unserialize)
  • Low percentage of properly escaped output
  • Low percentage of SQL using prepared statements
  • High number of past critical/high severity CVEs
  • History of common vulnerability types (SSRF, XSS, SQLi, etc.)
  • Flows with unsanitized paths found
  • High severity taint flow found
Vulnerabilities
35

WP Fastest Cache – WordPress Cache Plugin Security Vulnerabilities

CVEs by Year

2 CVEs in 2015
2015
3 CVEs in 2016
2016
5 CVEs in 2018
2018
1 CVE in 2019
2019
1 CVE in 2020
2020
3 CVEs in 2021
2021
1 CVE in 2022
2022
17 CVEs in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
3
High
9
Medium
23

35 total CVEs

CVE-2025-10476medium · 4.3Missing Authorization

WP Fastest Cache <= 1.4.0 - Missing Authorization to Authenticated (Subscriber+) DB Cleanup Actions

Nov 26, 2025 Patched in 1.4.1 (1d)
CVE-2024-4347high · 7.2Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WP Fastest Cache <= 1.2.6 - Authenticated (Administrator+) Arbitrary File Deletion

May 10, 2024 Patched in 1.2.7 (13d)
CVE-2023-6063critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Fastest Cache <= 1.2.1 - Unauthenticated SQL Injection

Nov 13, 2023 Patched in 1.2.2 (718d)
CVE-2023-1938medium · 6.5Server-Side Request Forgery (SSRF)

WP Fastest Cache <= 1.1.4 - Authenticated(Administrator+) Blind Server Side Request Forgery via check_url

May 2, 2023 Patched in 1.1.5 (266d)
CVE-2023-1919medium · 4.3Cross-Site Request Forgery (CSRF)

WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_preload_single_save_settings_callback'

Apr 6, 2023 Patched in 1.1.3 (292d)
CVE-2023-1925medium · 4.3Cross-Site Request Forgery (CSRF)

WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_clear_cache_of_allsites_callback'

Apr 6, 2023 Patched in 1.1.3 (292d)
CVE-2023-1921medium · 4.3Cross-Site Request Forgery (CSRF)

WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_start_cdn_integration_ajax_request_callback'

Apr 6, 2023 Patched in 1.1.3 (292d)
CVE-2023-1918medium · 4.3Cross-Site Request Forgery (CSRF)

WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_preload_single_callback'

Apr 6, 2023 Patched in 1.1.3 (292d)
CVE-2023-1929medium · 4.3Missing Authorization

WP Fastest Cache <= 1.1.2 - Missing Authorization in 'wpfc_purgecache_varnish_callback'

Apr 6, 2023 Patched in 1.1.3 (292d)
CVE-2023-1923medium · 4.3Cross-Site Request Forgery (CSRF)

WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_remove_cdn_integration_ajax_request_callback'

Apr 6, 2023 Patched in 1.1.3 (292d)
CVE-2023-1927medium · 4.3Cross-Site Request Forgery (CSRF)

WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'deleteCssAndJsCacheToolbar'

Apr 6, 2023 Patched in 1.1.3 (292d)
CVE-2023-1928medium · 4.3Missing Authorization

WP Fastest Cache <= 1.1.2 - Missing Authorization in 'wpfc_preload_single_callback'

Apr 6, 2023 Patched in 1.1.3 (292d)
CVE-2023-1922medium · 4.3Cross-Site Request Forgery (CSRF)

WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_pause_cdn_integration_ajax_request_callback'

Apr 6, 2023 Patched in 1.1.3 (292d)
CVE-2023-1924medium · 4.3Cross-Site Request Forgery (CSRF)

WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_toolbar_save_settings_callback'

Apr 6, 2023 Patched in 1.1.3 (292d)
CVE-2023-1375medium · 4.3Missing Authorization

WP Fastest Cache <= 1.1.2 - Missing Authorization to Cache Deletion

Apr 6, 2023 Patched in 1.1.3 (292d)
CVE-2023-1931medium · 4.3Missing Authorization

WP Fastest Cache <= 1.1.2 - Missing Authorization in 'deleteCssAndJsCacheToolbar'

Apr 6, 2023 Patched in 1.1.3 (292d)
CVE-2023-1926medium · 4.3Cross-Site Request Forgery (CSRF)

WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'deleteCacheToolbar'

Apr 6, 2023 Patched in 1.1.3 (292d)
CVE-2023-1930medium · 4.3Missing Authorization

WP Fastest Cache <= 1.1.2 - Missing Authorization in 'wpfc_clear_cache_of_allsites_callback'

Apr 6, 2023 Patched in 1.1.3 (292d)
CVE-2023-1920medium · 4.3Cross-Site Request Forgery (CSRF)

WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_purgecache_varnish_callback'

Apr 6, 2023 Patched in 1.1.3 (292d)
CVE-2019-6726medium · 6.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WP Fastest Cache <= 0.8.9.0 - Directory Traversal to Arbitrary File Deletion

Jan 24, 2022 Patched in 0.8.9.1 (729d)
CVE-2021-24870high · 8.8Cross-Site Request Forgery (CSRF)

WP Fastest Cache < 0.9.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Oct 14, 2021 Patched in 0.9.5 (831d)
CVE-2021-24869high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Fastest Cache < 0.9.5 - Authenticated (Subscriber+) SQL Injection

Oct 14, 2021 Patched in 0.9.5 (831d)
CVE-2021-20714medium · 6.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WP Fastest Cache <= 0.9.1.6 - Authenticated (Admin+) Directory Traversal to Arbitrary File Deletion

Apr 27, 2021 Patched in 0.9.1.7 (1001d)
CVE-2020-36836high · 8Cross-Site Request Forgery (CSRF)

WP Fastest Cache <= 0.9.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion

Feb 5, 2020 Patched in 0.9.0.3 (1724d)
CVE-2019-13635critical · 9.1Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WP Fastest Cache <= 0.8.9.5 - Directory Traversal

Jul 28, 2019 Patched in 0.8.9.6 (1640d)
CVE-2018-17584high · 8.8Cross-Site Request Forgery (CSRF)

WP Fastest Cache <= 0.8.8.5 - Cross-Site Request Forgery via page to wpfastestcacheoptions

Oct 9, 2018 Patched in 0.8.8.6 (1932d)
CVE-2018-17586medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Fastest Cache <= 0.8.8.5 - Cross-Site Scripting via rules[0][content] parameter

Oct 9, 2018 Patched in 0.8.8.6 (1932d)
CVE-2018-17585medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Fastest Cache <= 0.8.8.5 - Cross-Site Scripting via wpFastestCachePage options, wpFastestCachePreload_number or wpFastestCacheLanguage parameter

Oct 9, 2018 Patched in 0.8.8.6 (1932d)
CVE-2018-17583medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Fastest Cache <= 0.8.8.5 - Cross-Site Scripting via the rules[0][content] parameter in a wpfc_save_exclude_pages action

Oct 9, 2018 Patched in 0.8.8.6 (1932d)
WF-65b3baaf-86e4-4dd2-b3eb-84c21eabdd6d-wp-fastest-cachehigh · 7.4Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Fastest Cache <= 0.8.7.4 - SQL Injection

Feb 22, 2018 Patched in 0.8.7.5 (2161d)
WF-e8fe4aa7-13e6-48ec-afec-2888edd999f5-wp-fastest-cachehigh · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WP Fastest Cache <= 0.8.5.9 - Local File Inclusion

Jul 13, 2016 Patched in 0.8.6.0 (2750d)
WF-3ebe25a7-fa4d-4e3f-b969-2ff3a8388b06-wp-fastest-cachehigh · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WP Fastest Cache <= 0.8.5.7 - Local File Inclusion

May 24, 2016 Patched in 0.8.5.8 (2800d)
WF-fcbd718b-4d7d-48a4-9db2-dd938de7c7eb-wp-fastest-cachemedium · 4.9Missing Authorization

WP Fastest Cache <= 0.8.5.7 - Missing Authorization

May 23, 2016 Patched in 0.8.5.8 (2801d)
CVE-2015-9316critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Fastest Cache < 0.8.4.9 - SQL Injection

Nov 11, 2015 Patched in 0.8.4.9 (2995d)
CVE-2015-4089high · 8.8Cross-Site Request Forgery (CSRF)

WP Fastest Cache < 0.8.3.5 - Multiple Cross-Site Request Forgery

May 26, 2015 Patched in 0.8.3.5 (3164d)
Code Analysis
Analyzed Mar 16, 2026

WP Fastest Cache – WordPress Cache Plugin Code Analysis

Dangerous Functions
1
Raw SQL Queries
18
2 prepared
Unescaped Output
167
45 escaped
Nonce Checks
29
Capability Checks
21
File Operations
74
External Requests
11
Bundled Libraries
1

Dangerous Functions Found

unserializereturn unserialize($cdn_value->zone_id);inc\cdn.php:233

Bundled Libraries

TinyMCE

SQL Query Safety

10% prepared20 total queries

Output Escaping

21% escaped212 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

9 flows5 with unsanitized paths
saveOption (inc\admin.php:275)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
8 unprotected

WP Fastest Cache – WordPress Cache Plugin Attack Surface

Entry Points31
Unprotected8

AJAX Handlers 31

authwp_ajax_wpfc_clear_cache_columninc\column.php:11
noprivwp_ajax_wpfc_wppolls_ajax_requestinc\wp-polls.php:8
authwp_ajax_wpfc_wppolls_ajax_requestinc\wp-polls.php:9
authwp_ajax_wpfc_delete_cachewpFastestCache.php:100
authwp_ajax_wpfc_delete_cache_and_minifiedwpFastestCache.php:101
authwp_ajax_wpfc_delete_current_page_cachewpFastestCache.php:102
authwp_ajax_wpfc_clear_cache_of_allsiteswpFastestCache.php:104
authwp_ajax_wpfc_toolbar_save_settingswpFastestCache.php:106
authwp_ajax_wpfc_toolbar_get_settingswpFastestCache.php:107
authwp_ajax_wpfc_save_timeout_pageswpFastestCache.php:111
authwp_ajax_wpfc_save_exclude_pageswpFastestCache.php:112
authwp_ajax_wpfc_cdn_optionswpFastestCache.php:113
authwp_ajax_wpfc_remove_cdn_integrationwpFastestCache.php:114
authwp_ajax_wpfc_pause_cdn_integrationwpFastestCache.php:115
authwp_ajax_wpfc_start_cdn_integrationwpFastestCache.php:116
authwp_ajax_wpfc_save_cdn_integrationwpFastestCache.php:117
authwp_ajax_wpfc_cdn_templatewpFastestCache.php:118
authwp_ajax_wpfc_check_urlwpFastestCache.php:119
authwp_ajax_wpfc_cache_statics_getwpFastestCache.php:120
authwp_ajax_wpfc_db_staticswpFastestCache.php:121
authwp_ajax_wpfc_db_fixwpFastestCache.php:122
authwp_ajax_wpfc_save_cspwpFastestCache.php:128
authwp_ajax_wpfc_remove_cspwpFastestCache.php:129
authwp_ajax_wpfc_get_list_cspwpFastestCache.php:130
authwp_ajax_wpfc_save_varnishwpFastestCache.php:133
authwp_ajax_wpfc_remove_varnishwpFastestCache.php:134
authwp_ajax_wpfc_pause_varnishwpFastestCache.php:135
authwp_ajax_wpfc_start_varnishwpFastestCache.php:136
authwp_ajax_wpfc_purgecache_varnishwpFastestCache.php:137
authwp_ajax_wpfc_preload_single_save_settingswpFastestCache.php:388
authwp_ajax_wpfc_preload_singlewpFastestCache.php:389
WordPress Hooks 59
actionwp_before_admin_bar_renderinc\admin-toolbar.php:11
actionadmin_enqueue_scriptsinc\admin-toolbar.php:12
actionadmin_enqueue_scriptsinc\admin-toolbar.php:13
actionwp_print_scriptsinc\admin-toolbar.php:14
actionwp_before_admin_bar_renderinc\admin-toolbar.php:17
actionwp_enqueue_scriptsinc\admin-toolbar.php:18
actionwp_enqueue_scriptsinc\admin-toolbar.php:19
actionwp_footerinc\admin-toolbar.php:20
actionadmin_enqueue_scriptsinc\admin.php:15
filterplugin_localeinc\admin.php:16
actionadmin_print_footer_scriptsinc\admin.php:86
actioninitinc\admin.php:87
filtermce_external_pluginsinc\admin.php:104
filtermce_buttonsinc\admin.php:105
actionadmin_menuinc\admin.php:245
actioninitinc\cache.php:35
filteremoji_svg_urlinc\cache.php:48
actionwpinc\cache.php:492
actionget_footerinc\cache.php:493
actionget_footerinc\cache.php:494
actionwpfc_exclude_current_pageinc\cache.php:497
filterpost_row_actionsinc\column.php:6
filterpage_row_actionsinc\column.php:7
actionadmin_enqueue_scriptsinc\column.php:10
actionwp_footerinc\wp-polls.php:10
actionrate_postwpFastestCache.php:123
actionuser_registerwpFastestCache.php:124
actionprofile_updatewpFastestCache.php:125
actionedit_termswpFastestCache.php:126
actionafter_switch_themewpFastestCache.php:141
actionactivate_pluginwpFastestCache.php:145
actiondeactivate_pluginwpFastestCache.php:146
actionupgrader_process_completewpFastestCache.php:150
actionupgrader_process_completewpFastestCache.php:151
actionwoocommerce_order_status_changedwpFastestCache.php:158
actionkksr_ratewpFastestCache.php:163
actionelementor/maintenance_mode/mode_changedwpFastestCache.php:166
actionwpfc_clear_all_cachewpFastestCache.php:169
actionwpfc_clear_all_site_cachewpFastestCache.php:170
actionwpfc_clear_post_cache_by_idwpFastestCache.php:171
actionwpfc_create_post_cache_by_idwpFastestCache.php:174
actionadmin_initwpFastestCache.php:177
actioninitwpFastestCache.php:195
actioninitwpFastestCache.php:223
actionwp_loadedwpFastestCache.php:230
actiontransition_post_statuswpFastestCache.php:237
actionwoocommerce_update_productwpFastestCache.php:240
actionwp_loadedwpFastestCache.php:259
actionplugins_loadedwpFastestCache.php:276
actionwp_loadedwpFastestCache.php:277
actionwp_loadedwpFastestCache.php:322
actionadd_meta_boxeswpFastestCache.php:386
actionadmin_noticeswpFastestCache.php:387
actionadmin_menuwpFastestCache.php:915
actionadmin_initwpFastestCache.php:991
actionwp_set_comment_statuswpFastestCache.php:1391
actioncomment_postwpFastestCache.php:1394
actionedit_commentwpFastestCache.php:1397
filtercron_scheduleswpFastestCache.php:2383
Maintenance & Trust

WP Fastest Cache – WordPress Cache Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 10, 2026
PHP min version
Downloads63.4M

Community Trust

Rating98/100
Number of ratings4,207
Active installs1.0M
Alternatives

WP Fastest Cache – WordPress Cache Plugin Alternatives

AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization

AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization

add-expires-headers

B
76

AEH Speed Optimization boosts site speed with caching, minification, lazy loading, and image optimization to improve performance and SEO.

3K 1 unpatched
Autoptimize

Autoptimize

autoptimize

B
77

Autoptimize speeds up your website by optimizing JS, CSS, images (incl. lazy-load), HTML and Google Fonts, asyncing JS, removing emoji cruft and more.

900K 10 CVEs
Aruba HiSpeed Cache

Aruba HiSpeed Cache

aruba-hispeed-cache

A
95

Aruba HiSpeed Cache interfaces directly with an Aruba hosting platform's HiSpeed Cache service and automates its management.

100K 6 CVEs
10Web Booster – Website speed optimization, Cache & Page Speed optimizer

10Web Booster – Website speed optimization, Cache & Page Speed optimizer

tenweb-speed-optimizer

A
86

Speed up your site with 10Web Booster. Pass Core Web Vitals by optimizing HTML / CSS / JavaScript, Image Optimization, Lazy Loading, Cache, Google Fon &hellip;

90K 5 CVEs
Seraphinite Accelerator

Seraphinite Accelerator

seraphinite-accelerator

A
95

Turns on site high speed to be attractive for people and search engines.

60K 9 CVEs
Developer Profile

WP Fastest Cache – WordPress Cache Plugin Developer Profile

Emre Vona

1 plugin · 1.0M total installs

62
trust score
Avg Security Score
76/100
Avg Patch Time
1044 days
View full developer profile
Detection Fingerprints

How We Detect WP Fastest Cache – WordPress Cache Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-fastest-cache/css/style.css/wp-content/plugins/wp-fastest-cache/js/wpfastestcache.js
Script Paths
/wp-content/plugins/wp-fastest-cache/js/wpfastestcache.js
Version Parameters
wp-fastest-cache/css/style.css?ver=wp-fastest-cache/js/wpfastestcache.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpfc-settings-tabs
HTML Comments
BEGIN WpFastestCacheEND WpFastestCacheBEGIN GzipWpFastestCacheEND GzipWpFastestCache+4 more
Data Attributes
data-wpfc-nonce
JS Globals
wpFastestCachewpFastestCacheConfig
REST Endpoints
/wp-json/wpfastestcache/v1/settings/wp-json/wpfastestcache/v1/cache/wp-json/wpfastestcache/v1/cdn
FAQ

Frequently Asked Questions about WP Fastest Cache – WordPress Cache Plugin