Description
WordPress Plugin W3 Total Cache is prone to multiple vulnerabilities, including cross-site scripting, security bypass, arbitrary file upload, arbitrary file download, server-side request forgery, PHP code execution, information disclosure and Denial of Service vulnerabilities. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, allowing the attacker to steal cookie-based authentication credentials, to perform otherwise restricted actions and subsequently bypass security token check, to upload arbitrary code and run it in the context of the webserver process, which may facilitate unauthorized access or privilege escalation, to gain access to sensitive information, to make the vulnerable server perform port scanning of hosts in internal or external networks, to execute arbitrary PHP code with the privileges of the user running the application, to compromise the application or the underlying database, to access or modify data, to compromise a vulnerable system, to obtain sensitive information or to cause the affected website to consume memory and CPU resources, thus denying service to legitimate users. WordPress Plugin W3 Total Cache version 0.9.4.1 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 0.9.5 or latest
References
https://blog.zerial.org/seguridad/vulnerabilidad-cross-site-scripting-en-wordpress-w3-total-cache/
https://secupress.me/4-new-security-flaws-w3-total-cache-0-9-4-1/
https://klikki.fi/adv/w3_total_cache.html
Related Vulnerabilities
Dolphin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3728)
MyBB Server-Side Request Forgery (SSRF) Vulnerability (CVE-2016-9417)
WordPress Plugin EELV Newsletter Cross-Site Scripting (3.3.0)
WordPress Plugin SW Ajax WooCommerce Search Cross-Site Scripting (1.2.6)