Arbitrary Directory Deletion in WP-Fastest-Cache
The WP-Fastest-Cache plugin authors released a new update, version 0.8.9.1, fixing a vulnerability (CVE-2019-6726) present during its install alongside the WP-PostRatings plugin. According to seclists.org:
“A successful attack allows an unauthenticated attacker to specify a path to a directory from which files and
directories will be deleted recursively. The vulnerable code path extracts the path portion of the referrer header and
then uses string concatenation to build an absolute path.