WordPress WP Super Cache and W3C Vulnerability – Urgent Patch
Two of the biggest caching plugins in WordPress have what we would classify a very serious vulnerability – remote code execution (RCE), a.k.a., arbitrary code execution.
[break][/break]
[break][/break]
It appears that a user by the name of kisscsaby first disclosed the issue a month ago via the WordPress forums. As of 5 days ago both plugin authors have pushed new versions of their plugins disabling the vulnerable functions by default. The real concern however is the seriousness of the vulnerability and the shear volume of users between both plugins.
[break][/break]
There are a few posts, released within the past few hours that do a great job of explaining what the issue was and what was being exploited. You can find some good after action thoughts on Frank Goosens’ blogand on Acunetix’s blog as well.
[break][/break]
Why Such a Big Deal?
Between the two plugins they’re looking at something close to 6 million downloads, granted not all current and some will be updates, but assuming even 25% are unique sites that’s an impressive number for any plugin. The real issue comes in that it applies to any WordPress blog that has comments enabled.
[break][/break]
If you’re using a third-party service, like Disqus, this won’t affect you. A really simple way to test is leave yourself a comment like this:
<!–mfunc echo PHP_VERSION; –><!–/mfunc–>
This means I can pass any commands I want to your server and they’ll execute, hence the term remote command execution (RCE).
[break][/break]
Replace my echo with an eval and encode a payload and now it’s a different ball game. Case in point, a backdoor shell, all while going via your comments and bypassing all other authentication controls.
[break][/break]
Again, not an issue to be taken lightly, this is a very serious vulnerability, further exasperated by the fact that any user can exploit it. The easiest way to protect yourself is to upgrade. You can find the latest updates on the WordPress.org repository: