WordPress Super Cache and W3TC Plugins are Vulnerable
- April 25, 2013 1:00 pm
The HostPapa team has just been informed of a serious vulnerability to W3TC and WP Super Cache plugins for WordPress. The vulnerability was first reported on the WordPress.org forums, but it has gone unnoticed by most WordPress communities around the globe.
The vulnerability allows remote PHP code to be executed locally on a server for anyone running either of the plugins. This is a serious issue as it could allow an attacker to execute code on your server; for instance, using your site to deliver malware without you knowing and making you a victim of the dreaded Google Malware penalty screen.
The good news is that both plugin authors have recently pushed updated versions of their plugins, disabling the vulnerable functions by default. If you are using either of these plugins, we recommend that you update them immediately.
Here are the vulnerable versions for each plugin:
- W3 Total Cache (versions 0.9.2.8 and below are vulnerable, version 0.9.2.9 and up are not) / upgrade here
- WP Super Cache (versions 1.2 and below are vulnerable, version 1.3.x and up are not) / upgrade here
We also strongly recommend that you enable CloudFlare on your account. CloudFlare’s secure Content Delivery Network (CDN) is free for HostPapa customers. The current vulnerability is so critical that CloudFlare has applied a rule to their network to protect against it. The protection is applied automatically for all CloudFlare accounts. So, if you haven’t already enabled CloudFlare on your account, there’s never been a better time to do so.
Instructions for activating CloudFlare on your web hosting account can be found here:
Remember, always keep your scripts, plugins and tools up to date, especially when a critical vulnerability like this one comes to your attention; and as an added protection, enable CloudFlare for free in your hosting account.