Update WP Super Cache and W3TC Immediately – Remote Code Execution Vulnerability Disclosed

Shame on us for not catching this a month ago when it was first reported, but it seems that two of the biggest caching plugins in WordPress have what we would classify a very serious vulnerability – remote code execution (RCE), a.k.a., arbitrary code execution:

…arbitrary code execution is used to describe an attacker’s ability to execute any commands of the attacker’s choice on a target machine or in a target process. – Wikipedia

It appears that a user by the name of kisscsaby first disclosed the issue a month ago via the WordPress forums. As of 5 days ago both plugin authors have pushed new versions of their plugins disabling the vulnerable functions by default. The real concern however is the seriousness of the vulnerability and the shear volume of users between both plugins.

There are a few posts, released within the past few hours that do a great job of explaining what the issue was and what was being exploited. You can find some good after action thoughts on Frank Goosens’ blog and on Acunetix’s blog as well.

Why Such a Big Deal?


Between the two plugins they’re looking at something close to 6 million downloads, granted not all current and some will be updates, but assuming even 25% are unique sites that’s an impressive number for any plugin. The real issue comes in that it applies to any WordPress blog that has comments enabled.

If you’re using a third-party service, like Disqus, this won’t affect you. A really simple way to test is leave yourself a comment like this:

<!–mfunc echo PHP_VERSION; –><!–/mfunc–>

If it works, it’ll show you something like this:

Screen Shot 2013-04-23 at 5.17.32 PM

You can see that it’s showing the version of my server’s PHP install. No big deal right? Wrong. This means I can pass any commands I want to your server and they’ll execute, hence the term remote command execution (RCE).

In this instance all I said was echo, or print out, the version of my PHP, in it of itself is benign. Replace my echo with an eval and encode a payload and now it’s a different ball game. Case in point, a backdoor shell, all while going via your comments and bypassing all other authentication controls.

Again, not an issue to be taken lightly, this is a very serious vulnerability, further exacerbated by the fact that any user can exploit it. The easiest way to protect yourself is to upgrade. You can find the latest updates on the WordPress.org repository:

Kudos to the plugin developers for acting quickly on the issue. Now it’s your turn end-users, update!

Scan your website for free:
About Tony Perez

Tony is the Co-Founder / CEO at Sucuri. He shares a deep passion for Information Security, Business and Brazilian JiuJitsu. He approaches the business the same as he trains BJJ, one move at a time and gently. You can follow him on twitter: @perezbox.

  • http://twitter.com/ericandrewlewis Eric

    Supreme bummer here.

    In cases like this, I’d think plugin developers should be able to remotely disable plugins on user’s site, auto-email admins of a site, and force them to upgrade before reactivating the plugin.

  • RussellAaron

    That is the first thing I saw when I logged into numerous sites. Thanks for a more detailed explination boys.

    • http://www.facebook.com/pownalltim Timothy Ryan Pwnall

      I thought this was known? Supercache has been vulnerable for months. I started using a reverse proxy for my caching after I had a cache file defaced on a bone stock wp.

  • Ryan Hellyer

    Batcache FTW! … http://wordpress.org/extend/plugins/batcache/

    I always found to hard to figure out what was going on inside WP Supercache and W3 Total Cache. There’s too much code to read through, so I switched to Batcache since the code is much much simpler and easier to understand.

    I don’t like using plugins if I don’t have time to do a full security audit on them as problems like this tend to occur.

    • http://www.techanger.com/ Aamir Rizwan

      Is it suitable for shared hosting ?

  • eric

    What do I do with the payload has already been deployed into my app? Which logs do I have to check, if any?

    • Ryan Hellyer

      Restore from backup, then manually back in any comments or posts which may have been added since your last backup. Make sure you update the plugin before pushing the changes live, or you risk being hacked again before you have a chance to upgrade the plugin.

  • http://John.do/ John Saddington

    nice catch guys.

  • http://www.binarytides.com/ Silver Moon

    I dont use either of the plugins, i use quick cache instead.

    • http://twitter.com/wmwebdes Keith Davis

      Yes I’m a Quick Cache man.
      Presumably that is OK!

      • http://www.newbestapps.com/ NewBestApps

        Not sure. Code to generate caching might be the same.

        • ddd

          echo “this is test”

    • Chris

      tested comments on my site(s) running quick cache, and it just displayed the text as entered instead of executing it.

  • Yogesh

    Are you sure? WP Super Cache was updated around 12 days ago and the plugin author mentions only the following in change log

    1.3.1

    Minor updates to documentation
    Fixed XSS in settings page.

  • Anonymous

    Don’t update wp-super-cache, delete it. The author hasn’t removed the arbitrary code execution vulnerability, they just blacklisted some naughty strings in comments. If you’re using BuddyPress, for instance, you can just put the naughty strings in forum posts instead of comments.

  • Randy Federighi

    WP Super cache still says most recent update was 1.3.1? There is also no notice in the plugins panel to upgrade either? How do we know the plugin has been updated? (sorry Yogesh – I didn’t see your comment) Does this include ANY type of form plugin or just comments?

    • Yogesh

      Well I tried out the echo commend mentioned above and it showed up as it was written i.e. it didn’t get executed.

    • http://ottodestruct.com Otto

      Version 1.3 fixed the issue of mfunc tags in comments.
      Version 1.3.1 fixed a minor XSS bug.
      Version 1.3.2, released today, disables the mfunc tags entirely, since almost nobody actually uses them, and adds a config option for people who do use them.

  • Xiong Chiamiov

    Good grief! I’m glad we got rid of W3TC a while ago because we found (after quite a bit of investigation) that it assumes it’s the only thing using your Memcached server, and periodically tries to flush all the keys out of memory.

  • Nancy Moore

    We just got rid of WP Super Cache last week on the blog I’m partners with and we’re working on in house version of our own. But this is great news that you guys are right on top of these kind of scary things. Thanks for posting!

  • John

    Re: further exasperated by the fact

    That should be “exacerbated.”

    • http://www.facebook.com/people/Leonard-Grossman/1578618437 Leonard Grossman

      Well, the exacerbation is exasperating.

  • Test
  • jasonkemp

    Given that Donncha is a long time WordPress contributor I would be surprised if the updates were anything less than scrupulous.

    http://ocaoimh.ie/2013/04/24/wp-super-cache-1-3-2/

  • http://www.happinessplunge.com/ Adam Pervez

    Wow, can’t believe this was left untreated for a month. Luckily I use cloudflare and they updated their system to prevent this from happening. I’ll still be upgrading to the new version of W3TC right now.

  • http://twitter.com/Zizounnette Karimus(wi)Slamanus

    DAFUQ.
    Gonna give up this plugin :/

  • http://megahost.ro/ megahost

    too bad there are bloggers who update their plugins once a year or even more.

  • Eoin Healy

    Regular plugin updates is the only way.. at least once a week.. Better safe than sorry :)

  • http://www.conversionation.net/ J-P De Clerck

    Thanks Tony, done and speed is back up… Kudos.

  • http://marketingwithsergio.com/ Sergio Félix

    Got rid of W3TC a looong time ago, not worth all the hassles that come with it.

    • http://foliovision.com Alec Kinnear

      We use HyperCache which tests out OK (just ran some tests) against this vulnerability. HyperCache also beat the pants off of WP SuperCache in a head to head we ran last fall: http://foliovision.com/2012/09/wordpress-speed-test-wp-super-cache-vs-hypercache

      WP Super Cache had shown itself to be the equal of W3TC in other tests (see the link above) so once again sometimes simple is better.

      • http://marketingwithsergio.com/ Sergio Félix

        Very interesting results there Alex, I think I’ll try HyperCache and see how it turns out for me, thanks!

  • http://www.creativethinkinghub.com/ Jim Connolly

    Thanks for the heads-up, Tony.

    Keep fighting the good fight!

  • Panicdots

    I went in to update plugin, but they are all uptodate. Am i ok?

  • http://twitter.com/clickhost ClickHOST.com

    Thanks Tony!

  • http://www.mathewporter.co.uk/ Matt Porter

    Never used any of this caching plugins, my site is pretty light anyway and has some great page load times since moving to my new server. Will share the post to give some more exposure on the vulnerabilities.

  • wezlo

    So 0.9.2.9 of W3TC Total Cache is ok?

  • Matt Kaludi

    Thanks for the info. Just updated the plugin.

  • http://blurbrain.com/ Buffoon

    Many thanks. The little snip of code was especially clever as a way to check…

  • http://www.facebook.com/people/Leonard-Grossman/1578618437 Leonard Grossman

    So, How do I update W3TC? When I go to the admin page and then to the plugin repository it doesn’t give me the option to update. I tried deactivating but that didn’t work. Do I have to delete the old W3TC plugin and start from scratch?

  • gaurav

    when i am checking in wordpress dashboard plugin the wp super cache and w3tc are not shown over there. In that condition am I safe with the vulnerability.

  • Satish Cr

    Thanks Sucuri. After installing Sucuri to my site ( http://freeclassiads.com/ ) Malware & SQL injection attacks were stopped. Now I can sleep peacefully. Thanks Sucuri :-)

  • http://greentechnology.brandyourself.com/ Green Technology

    DELETE

  • gray ayer

    Having used the WordPress plug-in W3 Total Cache on several of my clients sites, I was concerned to see that there was some pretty serious security exploits. Two days ago, all of my clients who are on BlueHost experienced problems with the minification, in that it just stopped working and this caused their websites to load without any sort of style sheets. Since I also have a change tracking plug-in installed called Simple History, I went to look at what had been done lately and I saw these entries

    Plugin “W3 Total Cache” activated
    2 days ago by

    Plugin “W3 Total Cache” deactivated
    2 days ago by

    This wasn’t me, or any other user registered for my sites. One of my ideas for this is that the plug-in author somehow pushed an update along, or maybe BlueHost did some script on all their sites. I don’t know, and I’m looking for some answers as to how this happened. Can anyone help me?

  • Greg K

    This plugin still has multiple vulnerabilities, just took down one of my sites today.

  • http://noisegate95.com/ Noisegate95

    Going back and forth with “gray ayer” over on the W3T3 forums – He received confirmation that the some ISPs are going in and auto updating the plugin. This absolutely infuriating me, as I had a customized and perfected version of W3 Total Cache working. 0.9.2.9 has tore up some sites since being released and I did not want to upgrade until those issues were resolved. The ISPs’s are quoting an article that clearly states that if you use a third party comments app such as Disqus, you are not effected, yet the sites were all upgraded without no notification to the site owner, no emails, nothing. Not even a backup of the original settings.

    This auto upgrade completely screwed up four of my websites and left them in the default W3TC settings. This is not “normal” host behavior.

    BlueHost has been confirmed, I am waiting on a Justhost confirmation, but most likely will not even get a reply.

  • http://www.hopy1.com/ hopy

    Update WP Super Cache and W3TC.

  • Zach Smith

    great blog – subscribing to rss now :)

  • TG

    I could be wrong, but if you are an admin or a superadmin and login, click on a budypress page, say Groups or Members and are using the bp-registration-options plugin to not show anyone the later pages unless logged in, they get cached and showed to anyone not logged in. The only way is to empty cache and not to click on them while logged in which is stupid. Either bp-registration-options needs to be updated or something wrong with WP super cache plugin, or even Buddypress maybe at fault, I’d like to know if someone else has that problem and the remedy. I WSC set to not cache pages for known users and not to cache these bp pages, still caches them and shows them to anyone. You can test to see if I am correct on blognalists.com

  • dusky

    I figured it out. It turns out that for the pages …./groups and …./members if you don’t want them to be cached, UNLIKE the author’s advice which is “Add here strings (not a filename) that forces a page not to be cached.
    For example, if your URLs include year and you dont want to cache last
    year posts, it’s enough to specify the year, i.e. ’/2004/’. WP-Cache
    will search if that string is part of the URI and if so, it will not
    cache that page.”,

    DO NOT INCLUDE THE FORWARD SLASHES. So, just groups instead of /groups or groups/ or /groups/ and members instead of /members or members/ or /members/ etc.

    When it said /2004/ I assumed to add /members/ and /groups/ etc. The help blob should be updated to show so for auther plugins and for clarity!

  • sss
  • http://www.crypton97.us/ Tri Wahyudi

    I also use wp super cache plugin. And I prefer to use to use the old version than the latest version. Indeed, not all hosting activate apache module is needed wp super cache, so that when the switch in the mode of ‘mod_rewrite’ super cache is not working as it should, it would only rely on mode PHP cache :)

  • Pingback: W3 Total Cache and WP Super Cache Vulnerability Being Targeted in the Wild | Sucuri Blog()

  • aaa