Subscribe to receive notifications of new posts:

W3TC and WP Super Cache Vulnerability Discovered, We've Automatically Patched

04/24/2013

2 min read

W3TC and WP Super Cache Vulnerability Discovered, We've Automatically Patched
The team at the research firm Sucuri announced a serious vulnerability to W3TC and WP Super Cache this afternoon. (Update: it appears the vulnerability was first reported on WordPress.org about a month ago.) The vulnerability allows remote PHP code to be executed locally on a server for anyone running either of the two most popular WordPress caching plugins. This is a serious vulnerability as it could allow an attacker to execute code on your server.

Here are the versions of each plugin that are vulnerable:

  • W3 Total Cache (version 0.9.2.8 and below are vulnerable, version 0.9.2.9 and up are not vulnerable) / upgrade here
  • WP Super Cache (version 1.2 and below are vulnerable, version 1.3.x and up are not vulnerable) / upgrade here

As a precaution, CloudFlare has applied a rule to our network which protects against this specific vulnerability in both plugins. The protection is applied for all CloudFlare accounts automatically, even free accounts. You do not need to do anything to enable the protection.

Even with this protection in place, if you are running either of these plugins you should upgrade immediately (W3TC Upgrade / WP Super Cache Upgrade). The vulnerability is serious enough that we recommend you disable the plugins until you have completed an upgrade. If you're not already a CloudFlare customer, you can signup for free to get protection immediately.

Technical Details

The attack takes advantage of several functions in these plugins including: mfunc, mclude, and dynamic-cached-content. An attacker can execute a PHP command running on the server by pasting a comment to a WordPress blog running a vulnerable version of W3 Total Cache or WP Super Cache. For example, if you are running a vulnerable version of the plugins, the following will result in your current PHP version being printed in the comment:

<!--mfunc echo PHP_VERSION; --><!--/mfunc-->

While this is harmless, the same mfunc call in either plugin can run other arbitrary commands on your server. This could be used to gain access to the server, execute arbitrary database commands, or remotely install malware. Again, this is a very severe vulnerability and all W3TC and W3 Super Cache users should upgrade immediately (W3TC Upgrade / WP Super Cache Upgrade).

We protect entire corporate networks, help customers build Internet-scale applications efficiently, accelerate any website or Internet application, ward off DDoS attacks, keep hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
WordPressVulnerabilities

Follow on X

Matthew Prince|@eastdakota
Cloudflare|@cloudflare

Related posts

March 14, 2024 12:30 PM

Mitigating a token-length side-channel attack in our AI products

The Workers AI and AI Gateway team recently collaborated closely with security researchers at Ben Gurion University regarding a report submitted through our Public Bug Bounty program. Through this process, we discovered and fully patched a vulnerability affecting all LLM providers. Here’s the story...