Subscribe to receive notifications of new posts:

W3TC and WP Super Cache Vulnerability Discovered, We've Automatically Patched

2013-04-24

1 min read
W3TC and WP Super Cache Vulnerability Discovered, We've Automatically Patched

The team at the research firm Sucuri announced a serious vulnerability to W3TC and WP Super Cache this afternoon. (Update: it appears the vulnerability was first reported on WordPress.org about a month ago.) The vulnerability allows remote PHP code to be executed locally on a server for anyone running either of the two most popular WordPress caching plugins. This is a serious vulnerability as it could allow an attacker to execute code on your server.

Here are the versions of each plugin that are vulnerable:

  • W3 Total Cache (version 0.9.2.8 and below are vulnerable, version 0.9.2.9 and up are not vulnerable) / upgrade here

  • WP Super Cache (version 1.2 and below are vulnerable, version 1.3.x and up are not vulnerable) / upgrade here

As a precaution, CloudFlare has applied a rule to our network which protects against this specific vulnerability in both plugins. The protection is applied for all CloudFlare accounts automatically, even free accounts. You do not need to do anything to enable the protection.

Even with this protection in place, if you are running either of these plugins you should upgrade immediately (W3TC Upgrade / WP Super Cache Upgrade). The vulnerability is serious enough that we recommend you disable the plugins until you have completed an upgrade. If you're not already a CloudFlare customer, you can signup for free to get protection immediately.

Technical Details

The attack takes advantage of several functions in these plugins including: mfunc, mclude, and dynamic-cached-content. An attacker can execute a PHP command running on the server by pasting a comment to a WordPress blog running a vulnerable version of W3 Total Cache or WP Super Cache. For example, if you are running a vulnerable version of the plugins, the following will result in your current PHP version being printed in the comment:

While this is harmless, the same mfunc call in either plugin can run other arbitrary commands on your server. This could be used to gain access to the server, execute arbitrary database commands, or remotely install malware. Again, this is a very severe vulnerability and all W3TC and W3 Super Cache users should upgrade immediately (W3TC Upgrade / WP Super Cache Upgrade).

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
WordPressVulnerabilities

Follow on X

Matthew Prince|@eastdakota
Cloudflare|@cloudflare

Related posts

July 09, 2024 12:00 PM

RADIUS/UDP vulnerable to improved MD5 collision attack

The RADIUS protocol is commonly used to control administrative access to networking gear. Despite its importance, RADIUS hasn’t changed much in decades. We discuss an attack on RADIUS as a case study for why it’s important for legacy protocols to keep up with advancements in cryptography...

May 30, 2024 1:00 PM

Disrupting FlyingYeti's campaign targeting Ukraine

In April and May 2024, Cloudforce One employed proactive defense measures to successfully prevent Russia-aligned threat actor FlyingYeti from launching their latest phishing campaign targeting Ukraine...

March 14, 2024 12:30 PM

Mitigating a token-length side-channel attack in our AI products

The Workers AI and AI Gateway team recently collaborated closely with security researchers at Ben Gurion University regarding a report submitted through our Public Bug Bounty program. Through this process, we discovered and fully patched a vulnerability affecting all LLM providers. Here’s the story...