A significant vulnerability has been found across two caching plugins for WordPress. Namely, WP Super Cache and W3 Total Cache.
Both of these are highly popular plugins used to make sites faster and more in line with Google’s upcoming page experience update.
Many hosting providers recommend both plugins to help with page speed, and more than six million people use both on their WordPress sites.
The Vulnerability is Known as Remote Code Execution
This new vulnerability falls under the category of remote code execution, and what makes it so serious is that it affects every single WordPress installation that has blog comments enabled.
The user Kisscsaby first reported it on the official WordPress forum.
What is Remote Code Execution?
Science Direct explains remote code execution as follows:
“Remote code execution is always performed by an automated tool. Attempting to manually remotely execute code would be at the very best near impossible. These attacks are typically written into an automated script.Remote arbitrary code execution is most often aimed at giving a remote user administrative access on a vulnerable system. The attack is usually prefaced by an information gathering attack, in which the attacker uses some means such as an automated scanning tool to identify the vulnerable version of software. Once identified, the attacker executes the script against the program with hopes of gaining local administrative access on the host.
Once the attacker has gained local administrative access on the system, the attacker initiates a process. The attacker will do his best to hide his presence inside the system. Following that, he may use the compromised host to launch remote arbitrary code execution attacks against other hosts.
Although remote execution of arbitrary code can allow an attacker to execute commands on a system, it is subject to some limitations.”
Example of the Exploit
Netsparker.com shares an example of the code evaluation exploit in question:
“You want to have dynamically generated variable names for every user and store its registration date. This is how it could be done in PHP:eval(“\$$user = ‘$regdate’);
Since the username is generally user controlled input an attacker can generate a name like this:
x = ‘y’;phpinfo();//
The resulting php code would now look like this:
$x = ‘y’;phpinfo();// = ‘2016’;
As you can see the variable is now called x and has the value y. After the attacker was able to assign that value to the variable he is able to start a new command by using the semicolon (;). He can now comment out the rest of the string, so he doesn’t get syntax errors. If he executes this code the output of phpinfo will appear on the page. You should keep in mind that this is not only possible in PHP but also in any other language with functions that evaluate input.”
Patch Issued for WP Super Cache; Update Immediately
In response to this threat, the developer of the WP Super Cache plugin has released a patch and advises all users to immediately update their plugin to version 1.7.2.
Be sure to download the update so you can restore your site’s security as quickly as humanly possible.
At the time of writing, though, there is not currently any word from W3 Total Cache regarding any updates or patches. So if you’re one of the plugin’s many users, be aware that it could be putting your site at risk until its vulnerability is fixed.