XSS vulnerability found in W3 Total Cache plugin disturbed WordPress community quite hard. W3 Total Cache was and still is one of the most famous and popular caching plugins for WordPress. It has more than one million active installs according to the WordPress.org plugin repository data. Despite the high degree of recognition and quite impressive statistics, there is some bad news.
About six months ago Scott Tuchman complained about the poor support of W3 Total Cache plugin in one of the WordPress related Facebook groups. The main argument was a seven-month period in which author released none updates. Later, in a few days, WP Tavern published blog post “Frederick Townes Confirms W3 Total Cache is Not Abandoned”. It was a massive relief for all W3 Total Cache plugin users, but now W3 gets another punch.
A few days ago (21 Sep 2016) Fernando A. Lagos Berardi aka Zerial found and reported Cross-Site Scripting (XSS) vulnerability found in W3 Total Cache plugin. Vulnerability discovered in W3 Total Cache Admin (performance menu) → Support → Add new ticket page. According to Fernando (Zerial) vulnerability could be exploited if there is an active session of admin user or other users with sufficient permissions. A patched version of the plugin is already available on Github for a few days. But only today (26 Sep 2016) an official W3 Total Cache plugin update was released on WordPress.org plugin repository. Changelog of the latest W3 Total Cache plugin version says that XSS vulnerability fixed. So we highly recommend you to update your W3 Total Cache plugin as soon as possible. Please update the plugin to the latest available version (at least version 0.9.5).
Problems with such popular plugins like W3 makes a tremendous impact on all WordPress community and its trust. We hope to see fewer incidents of such high-risk level related to the most popular WordPress plugins. Don’t forget to keep your software up to date. Keep it safe!