The team at the research firm Sucuri announced a serious vulnerability to W3TC and WP Super Cache yesterday afternoon. (Update: it appears the vulnerability was first reported on WordPress.org about a month ago.) The vulnerability allows remote PHP code to be executed locally on a server for anyone running either of the two most popular WordPress caching plugins. This is a serious vulnerability as it could allow an attacker to execute code on your server.
Here are the versions of each plugin that are vulnerable:
- W3 Total Cache (version 0.9.2.8 and below are vulnerable, version 0.9.2.9 and up are not vulnerable) / upgrade here
- WP Super Cache (version 1.2 and below are vulnerable, version 1.3.x and up are not vulnerable) / upgrade here
If you are running either of these plugins you should upgrade immediately (W3TC Upgrade / WP Super Cache Upgrade). The vulnerability is serious enough that we recommend you disable the plugins until you have completed an upgrade.
The attack takes advantage of several functions in these plugins including: mfunc, mclude, and dynamic-cached-content. An attacker can execute a PHP command running on the server by pasting a comment to a WordPress blog running a vulnerable version of W3 Total Cache or WP Super Cache. For example, if you are running a vulnerable version of the plugins, the following will result in your current PHP version being printed in the comment:
<!--mfunc echo PHP_VERSION; --><!--/mfunc-->
While this is harmless, the same mfunc call in either plugin can run other arbitrary commands on your server. This could be used to gain access to the server, execute arbitrary database commands, or remotely install malware. Again, this is a very severe vulnerability and all W3TC and W3 Super Cache users should upgrade immediately (W3TC Upgrade / WP Super Cache Upgrade).
Should you have any additional queries, please open a support ticket through your account and speak to us on how best to proceed.