A vulnerability for the very popular cache plugin “W3 Total Cache” has been made public. It’s advised that those who are using WordPress to check if they have this plugin – and if they have the latest version or not.
It turns out that this also affects WP Super Cache. Both of these account for about 6.5 million downloads, and about 90% of all installations running cache on their wordpress installations use either of these.
The issue comes with blogs that have comments enabled and aren’t using a third party system like Disqus.
To test if you’re affected you can add a comment like this:
<!–mfunc echo PHP_VERSION; –><!–/mfunc–>
This should, if you don’t have the latest version of WP Super Cache or W3 Total Cache, show the version of your PHP which means the installation can be exploited.
The W3 Total Cache plugin for WordPress is prone to a remote PHP code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary PHP code within the context of the web server.
W3 Total Cache 0.9.2.8 is vulnerable. Other versions may also be affected.