WordPress Caching Plugins Remote PHP Code Execution

Two very popular WordPress caching plugins: WP Super Cache (4,373,811 downloads) and W3 Total Cache (1,975,480 downloads) have been affected by a vulnerability that allows remote users to execute arbitrary PHP code.

The affected versions are:

  • WP Super Cache (version 1.2 and below,  version 1.3.x and up are OK)
  • W3 Total Cache (version 0.9.2.8 and below, version 0.9.2.9 is OK)

The vulnerability was first discovered and reported on the WordPress forums about a month ago. The vulnerability has been fixed in both plugins since them, so make sure you are running the latest versions.

Both plugins support dynamic content on the page. You can mark parts of the page as dynamic and these will not be cached. Currently there are three tags that can be used to create dynamic snippets. You can find more information about this on the WP Super Cache FAQ page.

  1. dynamic-cached-content

    <!--dynamic-cached-content--><?php
    include_once( ABSPATH . '/scripts/adverts.php' );
    print_sidebar_ad();
    do_more_stuff();
    ?><!--
    include_once( ABSPATH . '/scripts/adverts.php' );
    print_sidebar_ad();
    do_more_stuff();
    --><!--/dynamic-cached-content-->

    This code will include the file adverts.php and will execute the functions "print_sidebar_ad()" and "do_more_stuff()".

  2. mfunc

    <!--mfunc function_name( 'parameter', 'another_parameter' ) -->
    <?php function_name( 'parameter', 'another_parameter' ) ?>
    <!--/mfunc-->

    This code will execute the function "function_name()".

  3. mclude

    <!--mclude file.php-->
    <?php include_once( ABSPATH . 'file.php' ); ?>
    <!--/mclude-->

    This code will include file.php under the ABSPATH directory.

The problem is that these tags are HTML comments, and WordPress does not filter them. At the same time, these tags are being interpreted and causing code to be executed on the server.

To exploit this vulnerability somebody just has to post a comment containing any of the special tags mentioned above. For example, if somebody posts the comment <!--mfunc eval(base64_decode(cGhwaW5mbygpOyAg)); --><!--/mfunc-->, this comment will be ignored by WordPress (because it's a HTML comment) but parsed and executed by the caching plugin that will return a page showing a phpinfo() page.

WP Super Cache Remote PHP Code Execution

We have just released an Acunetix WVS update that is testing WordPress sites for this vulnerability.You can install the update from Acunetix Web Vulnerability Scanner > General > Program Updates. Click 'Check for Updates', and then select to 'Download and Install Updates'.

If the website being scanned is found to be vulnerable, the scanner will report the vulnerability as follows:

Acunetix VS WP Super Cache Remote PHP Code Execution

This is a very dangerous vulnerability. Over 6 million WordPress installations could potentially be vulnerable. It is therefore absolutely essential that the vulnerable versions of these plugins are upgraded to the latest version as soon as possible.

Leave a Reply


*

  1. Pingback: Daily Mozy - Update WP Super Cache and W3TC Immediately – Remote Code Execution Vulnerability Disclosed

  2. The affected version are not correct, should be;

    WP Super Cache (version 1.2 and below, version 1.3.x and up are OK)
    W3 Total Cache (version 0.9.2.8 and below, version 0.9.2.9 is OK)

    April 24, 2013 at 8:31 am Reply
    • Bogdan Calin

      Thanks Frank,
      I will update the post.

      April 24, 2013 at 8:38 am Reply
  3. Pingback: Security Alert: WP Super Cache and W3 Total Cache - WP Daily

  4. Pingback: Update WP Super Cache and W3TC Immediately – Remote Code Execution Vulnerabi… | Bill Drew the Librarian

  5. Pingback: Wordpress: Gefährliche Lücken in Cache-Plug-Ins

  6. Pingback: Wordpress: Gefährliche Lücken in Cache-Plug-Ins | virtualfiles.net

  7. Pingback: WordPress Caching Plugins Remote PHP Code Execution | @MixLoL_

  8. Pingback: Wordpress Plugin Security Vulnerability - New Winnipeg Web Hosting

  9. Pingback: WordPress的缓存插件远程PHP代码的执行 | 关注信息安全,脚本渗透,xss,解密

  10. Pingback: Vulnerabilities Discovered in Wordpress Caching PluginsWPMule

  11. Pingback: Wordpress: Gefährliche Lücken in Cache-Plug-Ins

  12. Mark

    False Positive results by Acunetix.

    Vulnerability description
    This page is using an older version of jQuery that is vulnerable to a Cross Site Scripting vulnerability. Many sites are using to select elements using location.hash that allows someone to inject script into the page. This problem was fixed in jQuery 1.6.3.

    This vulnerability affects /js/jquery-1.4.2.min.js.

    Discovered by: Scripting (jQuery_Audit.script).

    But the XSS script is not injectable in the 1.4.2 version, it is in 1.6.2 as given in refrence.

    //ma.la/jquery_xss/

    Please look into it.

    Thanks

    May 9, 2013 at 5:52 pm Reply
    • Bogdan Calin

      It was reported on version 1.6.1 but it affects older versions as well.
      Check the last comment from the report
      //bugs.jquery.com/ticket/9521

      Changed 3 weeks ago by augustd
      Also affects jQuery v1.4.2

      May 9, 2013 at 5:57 pm Reply
  13. Useful Information for me, I am using wp super cache

    thanks

    June 13, 2013 at 10:52 am Reply
  14. Pingback: Vulnerabilities Discovered in Wordpress Caching Plugins

  15. Pingback: Vulnerabilities Discovered in Wordpress Caching Plugins

  16. Pingback: WordPress Plugins Galore