“All The Word That's Fit To Press.”
A WP Engine

Security Alert: WP Super Cache and W3 Total Cache

Tony Perez over at Sucuri shared yesterday a significant vulnerability that’s landed among some of the top plugins used out there which also happen to be the top caching plugins for WordPress.

If you’re a fan and a user of WP Super Cache or W3 Total Cache then this update is for you! There’s a RCE (Remote Code Execution) vulnerability in these plugins that allows an attacker to execute commands on the blog directly.

First discovered by kisscsaby in the WordPress forums it has been quickly dealt with via the plugin authors but that doesn’t mean that you haven’t updated yet!

A few other blogs have also noted this security issue and shared their thoughts and solutions. Right now, though, the best thing for you to do is update your plugins!

To test if you’re vulnerable or if you’ve been impacted you can easily copy the following line into your comment section of your blog:

<!–mfunc echo PHP_VERSION; –><!–/mfunc–>

If you get anything other than what’s exactly written there and instead get something like 5.2.17 (which is your PHP version) then you’ve been hit!

If you have been infected, do what Ryan Hellyer has suggested here:

Restore from backup, then manually back in any comments or posts which may have been added since your last backup. Make sure you update the plugin before pushing the changes live, or you risk being hacked again before you have a chance to upgrade the plugin.

Thanks for the catch Sucuri and make sure you block out part of your day to updating your sites (and your clients!).

More WordPress News From Torque:
  • http://shanegowland.com Shane Gowland

    The most noteworthy thing about this vulnerability is the utterly reckless way it was reported to the developers.

    • http://john.do/ John Saddington

      care to expand this? i didn’t dig into it too deeply as i cared more about getting the word out right now.

      • http://shanegowland.com Shane Gowland

        The person who discovered the exploit didn’t contact the plugin authors privately, but rather announced it publicly on the WordPress forum – complete with working exploit code.

        • http://john.do/ John Saddington

          LOL. that’s brilliant… err…

        • http://www.plausiblethought.net Marc Jenkins

          Well, that’s one way to get the plugin authors to act quickly.

  • http://www.chipbennett.net/ Chip Bennett

    Wouldn’t the stop-gap fix added to the Plugin repo by Frank Goossens be an ideal candidate for the Hot Fix Plugin? (Everyone is running Hot Fix by now, right? Right?!?)

    • http://shanegowland.com Shane Gowland

      One would still need to update Hot Fix to get the fix. No real difference between updating that plugin and updating the affected caching plugin.

      • http://www.chipbennett.net/ Chip Bennett

        I’m talking about the Stop Gap Plugin, WP Safer Cache, that Frank Goossens released as a stop gap fix to patch the vulnerability until the caching Plugins themselves were updated:

        There was a vulnerability in WordPress installations that used WP Super Cache prior to version 1.3 or W3 Total Cache prior to version This helper plugin was a stopgap solution for older versions. If you have upgraded WP Super Cache or W3 Total Cache, you can safely deactivate and remove this plugin.

        Remember: there was a three-week lapse between the (irresponsible) disclosure of the vulnerability, and the release of updates to the vulnerable Plugins themselves.

        Having a “stop gap” Plugin is great, but users have to know about it in order to be able to install/activate it. But if Hot Fix is already installed/active, the same stop-gap fix can be pushed out immediately, with no additional user action.

        • http://shanegowland.com Shane Gowland

          Ah sorry; I assumed you meant adding it to Hot Fix now, even though the plugins have already been updated.

          In that case, I agree. Having ‘WP Safer Cache’ in hotfix three weeks ago would have been a much prettier situation.

  • http://www.squareonemd.co.uk Elliott Richmond

    Wow that could be significant! Thanks for the heads up

  • http://www.seojus.com Justin M

    Hi John,

    Thanks so much for the heads up. I’m going to check this out now on all my sites. Just my 2 cents, why in the world would someone post the issue, exploit, and solution on a public platform?? Lol

    Thanks John again

  • http://africasiaeuro.com/wordpress/ Heinz

    Honestly – I keep myself asking why I added WP super cache and WP 3 in the first place.

    I quickly found out, trying to uninstall these plugins completely messes up your database if you don’t know what you are doing, changing files permissions in WP db, a whole lot of trouble awaits you.

    I ask those who have not yet come across this problem to be extra careful, and make sure you back up ( after you inactivate the plugin ), best (free) db manager plugin I found.

    Completely remove your plugin in your host file folder, after you change file permissions to 0666 ( enables you to remove file in your web explorer or FTP agent ). Rightclick –> properties –> add a tag to change to 0666.

    You can also cache on server level : read here http://www.caucho.com/resin-3.0/performance/caching.xtp

    Also, in addition, do not use free CDN ( content delivery network ) named coral. It created havoc.

    Good free options are scarce. Looking up wp forums will help to make the right choice.

    But, ALWAYS BACK UP your files before trying out some new plugin.

  • http://www.blogosense.com Pranjal

    Thanks, just updated W3 total cache on all my sites, and yes PHP version info was executed well via comments on few of them, ah fixed now!

  • http://phpit.com.br Rafael Jaques

    And how about moderated comments?

  • http://www.arindom.com Arnob Protim Roy

    But I know that in the lasted version the bug was fixed ?

    Read The Airticle ? is it true ?

  • http://www.bestphonespy.com/ Jack Gillman

    I always use WP Super Cache on my blogs. It works really great, helping me keep page load times under 1 second! Thanks!

  • http://www.phonespyapps.com/ Tom Richy

    The most noteworthy thing about this vulnerability is the utterly reckless way it was reported to the developers.