Critical WP Super Cache and W3TC Total Cache Update

April 25, 2013 in Blog by

Two of the biggest caching plugins in WordPress have very serious vulnerability – remote code execution (RCE), a.k.a., arbitrary code execution.

What is the arbitrary code execution?

Arbitrary code execution is used to describe an attacker’s ability to execute any commands of the attacker’s choice on a target machine or in a target process.

From 17th April both plugin authors have pushed new versions of their plugins disabling the vulnerable functions by default. The real concern however is the seriousness of the vulnerability and the shear volume of users between both plugins.

Why should we worry about this?

Between the two plugins they’re looking at something close to 6 million downloads, granted not all current and some will be updates, but assuming even 25% are unique sites that’s an impressive number for any plugin. The real issue comes in that it applies to any WordPress blog that has comments enabled.

If you’re using a third-party service, like Disqus, this won’t affect you.

An easy way to test is leave yourself a comment like this:

<!–mfunc echo PHP_VERSION; –><!–/mfunc–>

If it works, it’ll show you the version of your server PHP install (for example 5.2.14). This means anyone can pass any commands I want to your server and they’ll execute, hence the term remote command execution (RCE).

This is not an issue to be taken lightly, this is a very serious vulnerability!
Further exasperated by the fact that any user can exploit it. The easiest way to protect yourself is to upgrade these plugins. You can find the latest updates on the repository:

WP Super Cache
W3TC Total Cache

Kudos to the plugin developers for acting quickly on the issue.

About Milan

The founder of Dessky, Milan has worked in all aspects of advanced web development, from building large commercialized e-commerce and social network systems to troubleshooting small wordpress blogs. His extensive skills cover virtually every area of web development. Milan works hard to implement tomorrow’s trends utilizing the cutting edge systems of today. He specializes in rich internet web application development and deployment, complex HTML5/CSS3 graphical design layouts, full blown framework-driven rich internet applications, and much more. Milan provides elegant solutions to complex problems encountered by businesses that use internet based services. Also he is the Graduated Engineer of both Computer Science and Information Technology.

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 1.00 out of 5)

Leave a Reply

Your email address will not be published. Required fields are marked * ragans.alisha