The team at Sucuri have identified and warned WordPress users against an important vulnerabilities with the 2 popular caching plugins WP Super Cache and W3TC. They have written 2 articles about it and according to them, the two WordPress caching plug-ins, WP Super Cache and W3TC, have vulnerabilities that can be exploited by hackers.
The hackers are being smart and using what most bloggers love – comments. If you have comments enabled, the vulneranilities in these plugins can give a hacker the ability to issue commands to your server. The issue was first discovered by a user back in mid-March and highlighted on the WordPress.org forums.
We have a number of clients using these plugins which have unfortunately over the years cause a myriad of issues. I’ve seen WP Super Cache render site’s unusable and non-functional until deletion of the plugin.
Sucuri are recommending that everyone updates the plugins immediately however my personal opinion is that they should be removed and deleted from blogs.
Here are the versions of each plugin that are vulnerable:
- W3 Total Cache (version 0.9.2.8 and below are vulnerable, version 0.9.2.9 and up are not vulnerable) / upgrade here
- WP Super Cache (version 1.2 and below are vulnerable, version 1.3.x and up are not vulnerable) / upgrade here
Technical Details
The attack takes advantage of several functions in these plugins including: mfunc, mclude, and dynamic-cached-content. An attacker can execute a PHP command running on the server by pasting a comment to a WordPress blog running a vulnerable version of W3 Total Cache or WP Super Cache. For example, if you are running a vulnerable version of the plugins, the following will result in your current PHP version being printed in the comment:
[box type=”warning” ]<!–mfunc echo PHP_VERSION; –><!–/mfunc–>[/box]
While this is harmless, the same mfunc call in either plugin can run other arbitrary commands on your server. This could be used to gain access to the server, execute arbitrary database commands, or remotely install malware. Again, this is a very severe vulnerability and all WP Super Cache and W3TC users should upgrade immediately (W3TC Upgrade / WP Super Cache Upgrade).
If they gain remote access to your server, a hacker can wreak havoc on your WordPress pages, ruin your visitors’ experiences, and leaving you trying to repair the damage and fallout. As we have discussed before, your site or your blog are the things which define you, introducing people to you and your niche. If your site is compromised, it can harm your reputation. If you have a business, this can be catastrophic.
Sucuri also have some other tips which include:
What To Do?
The most obvious thing is to update immediately, both pluginauthors have made changes to their core to address these issues. That in it of itself will help you. Other options include the following:
- Adding Captcha’s to comments to deter spam bots
- Ensure all comments are going through some kind of moderation
- Don’t land the comments on your server, leverage 3rd party plugins – e.g., Disqus
If you have any issues at all please let us know and we can offer tech support, don’t forget we also have our security plans with Sucuri that you can take advantage for which offers monitoring and fixes if they should arise.
If this doesn’t apply to you please make sure other WordPress users are aware of the risks.
Thanks for the tips. Quite honestly most of it still went over my head though.
Visiting from #TUST
I don’t have either of these plugins, have been tossing up getting Disqus but I know when I had my old PC it really didn’t like it, so would risk losing / alienating commenters on older systems … what to do!
I seem to have a good system where wordpress catches most of my spam stuff, but then again I’m not totally sure how it does it. But thanks for warning, will look into this! Emily – visiting via TUST for Blogs and PR