Update your W3TC and WP Super Cache plugins

Two biggest WordPress caching plugins are reported having serious vulnerability, allowing arbitrary code execution in specific HTML comments. Meaning, adversary can post comment on your site including specific text, and bug in W3TC allows executing any code he wants. Here's an example:
<!–mfunc echo PHP_VERSION; –><!–/mfunc–>
This command will output web server PHP version in a comment area. Whats the big deal? Well, nothing stops writing into mfunc real function which will print out mysql connection strings in first comment, and use second comment to wipe out everything from your database, something like this:

<!–mfunc echo file_get_contents(ABSPATH.'wp-config.php'); –><!–/mfunc–>
If you are using 3rd party commenting plugins you are safe, but you should still keep your WordPress installation and all plugins always up to date.

Original article can be found here: http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html

Quick links to both plugins:
WordPress plugin: W3 Super Cache
WordPress plugin: W3TC


Comments

  1. rudrakshOctober 20, 2021 at 11:47 AM

    Hey,
    Thanks for sharing this blog its very helpful to implement in our work




    Regards

    .
    hire a hacker

    ReplyDelete

Post a Comment

Popular posts from this blog

Stubbing and Mocking Static Methods with PHPUnit

Image
PHPUnit has ability to stub and mock static methods. Consider the class Foo : <?php class Foo { public static function doSomething() { return static::helper(); } public static function helper() { return 'foo'; } } ?> To test the static helper() function with PHPUnit, you can write you test like that: <?php class FooTest extends PHPUnit_Framework_TestCase { public function testDoSomething() { $class = $this->getMockClass( 'Foo', /* name of class to mock */ array('helper') /* list of methods to mock */ ); $class::staticExpects($this->any()) ->method('helper') ->will($this->returnValue('bar')); $this->assertEquals( 'bar', $class::doSomething() ); } } ?> The new staticExpects() method works similar to the non-static expects
Read more

Enable HTTP/2 Support in AWS ELB

Image
This thread  was started more than a year ago, asking for when Amazon Web Services will add support for HTTP/2  into their ELB. In addition to that, people are also asking, how to configure ELB to support multiple SSL certificates. AWS support team has been reluctant on giving out any specific details on when both of these features will be available, citing: I've verified that the ELB team is aware of the interest in ELB supporting HTTP/2. Please keep an eye on What's New from Amazon Web Services: http://aws.amazon.com/new/ for any updates. What is HTTP/2? HTTP/2 is a replacement for how HTTP is expressed “on the wire.” It is not a ground-up rewrite of the protocol; HTTP methods, status codes and semantics are the same, and it should be possible to use the same APIs as HTTP/1.x (possibly with some small additions) to represent the protocol. HTTP/2 protocol is supported by major modern browsers including IE11, Edge 13, Firefox 47, Chrome 52, Safari 9.1, Opera 38, i
Read more

How To Attach Your EBS volume to multiple EC2 instances

Image
Are you exhausted from the complexities and the extra cost associated with the EFS? What if you simply need to share the EBS volume between two EC2 instances? Say no more - Amazon Web Services has an answer for you! Starting today, customers running Linux on Amazon Elastic Compute Cloud (EC2) can take advantage of new support for  attaching  Provisioned IOPS ( io1 ) EBS volumes to  multiple EC2 instances , at  no extra charge ! Multi-Attach option in EBS According to AWS, the Multi-Attach capability makes it easier to achieve higher availability for applications that provide write-ordering to maintain storage consistency. Consider the following scenario: you are running a web application behind the load balancer, and the application expects static assets, such as WordPress media uploads, theme or configuration files, shared between the instances. Instead of using EFS, you could create new PIOPS EBS volume with the Multi-Attach option, mount the volume on each s
Read more