Two very popular WordPress caching plugins: WP Super Cache (4,373,811 downloads) and W3 Total Cache (1,975,480 downloads) have been affected by a vulnerability that allows remote users to execute arbitrary PHP code.

The affected versions are:

  • WP Super Cache (version 1.2 and below,  version 1.3.x and up are OK)
  • W3 Total Cache (version 0.9.2.8 and below, version 0.9.2.9 is OK)

The vulnerability was first discovered and reported on the WordPress forums about a month ago. The vulnerability has been fixed in both plugins since them, so make sure you are running the latest versions.

Both plugins support dynamic content on the page. You can mark parts of the page as dynamic and these will not be cached. Currently there are three tags that can be used to create dynamic snippets. You can find more information about this on the WP Super Cache FAQ page.

  1. dynamic-cached-content

    <!--dynamic-cached-content--><?php
    include_once( ABSPATH . '/scripts/adverts.php' );
    print_sidebar_ad();
    do_more_stuff();
    ?><!--
    include_once( ABSPATH . '/scripts/adverts.php' );
    print_sidebar_ad();
    do_more_stuff();
    --><!--/dynamic-cached-content-->

    This code will include the file adverts.php and will execute the functions “print_sidebar_ad()” and “do_more_stuff()”.

  2. mfunc

    <!--mfunc function_name( 'parameter', 'another_parameter' ) -->
    <?php function_name( 'parameter', 'another_parameter' ) ?>
    <!--/mfunc-->

    This code will execute the function “function_name()”.

  3. mclude

    <!--mclude file.php-->
    <?php include_once( ABSPATH . 'file.php' ); ?>
    <!--/mclude-->

    This code will include file.php under the ABSPATH directory.

The problem is that these tags are HTML comments, and WordPress does not filter them. At the same time, these tags are being interpreted and causing code to be executed on the server.

To exploit this vulnerability somebody just has to post a comment containing any of the special tags mentioned above. For example, if somebody posts the comment <!–mfunc eval(base64_decode(cGhwaW5mbygpOyAg)); –><!–/mfunc–>, this comment will be ignored by WordPress (because it’s a HTML comment) but parsed and executed by the caching plugin that will return a page showing a phpinfo() page.

WP Super Cache Remote PHP Code Execution

We have just released an Acunetix WVS update that is testing WordPress sites for this vulnerability.You can install the update from Acunetix Web Vulnerability Scanner > General > Program Updates. Click ‘Check for Updates’, and then select to ‘Download and Install Updates’.

If the website being scanned is found to be vulnerable, the scanner will report the vulnerability as follows:

Acunetix VS WP Super Cache Remote PHP Code Execution

This is a very dangerous vulnerability. Over 6 million WordPress installations could potentially be vulnerable. It is therefore absolutely essential that the vulnerable versions of these plugins are upgraded to the latest version as soon as possible.

SHARE THIS POST
THE AUTHOR
Bogdan Calin

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.