Update your W3TC and WP Super Cache plugins
Two biggest WordPress caching plugins are reported having serious vulnerability, allowing arbitrary code execution in specific HTML comments. Meaning, adversary can post comment on your site including specific text, and bug in W3TC allows executing any code he wants. Here's an example:
Original article can be found here: http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html
Quick links to both plugins:
WordPress plugin: W3 Super Cache
WordPress plugin: W3TC
<!–mfunc echo PHP_VERSION; –><!–/mfunc–>
This command will output web server PHP version in a comment area. Whats the big deal? Well, nothing stops writing into mfunc real function which will print out mysql connection strings in first comment, and use second comment to wipe out everything from your database, something like this:
<!–mfunc echo file_get_contents(ABSPATH.'wp-config.php'); –><!–/mfunc–>
If you are using 3rd party commenting plugins you are safe, but you should still keep your WordPress installation and all plugins always up to date.
Original article can be found here: http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html
Quick links to both plugins:
WordPress plugin: W3 Super Cache
WordPress plugin: W3TC
Hey,
ReplyDeleteThanks for sharing this blog its very helpful to implement in our work
Regards
.
hire a hacker