Threat caution!

XSS vulnerability detected in W3 Total Cache WordPress plugin

XSS vulnerability found in W3 Total Cache plugin disturbed WordPress community quite hard. W3 Total Cache was and still is one of the most famous and popular caching plugins for WordPress. It has more than one million active installs according to the plugin repository data. Despite the high degree of recognition and quite impressive statistics, there is some bad news.

About six months ago Scott Tuchman complained about the poor support of W3 Total Cache plugin in one of the WordPress related Facebook groups. The main argument was a seven-month period in which author released none updates. Later, in a few days, WP Tavern published blog post “Frederick Townes Confirms W3 Total Cache is Not Abandoned”. It was a massive relief for all W3 Total Cache plugin users, but now W3 gets another punch.

XSS vulnerability

A few days ago (21 Sep 2016) Fernando A. Lagos Berardi aka Zerial found and reported Cross-Site Scripting (XSS) vulnerability found in W3 Total Cache plugin. Vulnerability discovered in W3 Total Cache Admin (performance menu)SupportAdd new ticket page. According to Fernando (Zerial) vulnerability could be exploited if there is an active session of admin user or other users with sufficient permissions. A patched version of the plugin is already available on Github for a few days. But only today (26 Sep 2016) an official W3 Total Cache plugin update was released on plugin repository. Changelog of the latest W3 Total Cache plugin version says that XSS vulnerability fixed. So we highly recommend you to update your W3 Total Cache plugin as soon as possible. Please update the plugin to the latest available version (at least version 0.9.5).

Problems with such popular plugins like W3 makes a tremendous impact on all WordPress community and its trust. We hope to see fewer incidents of such high-risk level related to the most popular WordPress plugins. Don’t forget to keep your software up to date. Keep it safe!

WordPress vulnerabilities database records

Darius S.

Similar Posts

Social Warfare plugin vulnerabilities exploited

Social Warfare plugin under attack due to critical security vulnerabilities

Social Warfare plugin has more than 60,000 active installs, and now it suffers from the wave of attacks ignited by recently discovered two ...

Easy WP SMTP plugin vulnerability

Easy WP SMTP plugin vulnerability threatens 300k WordPress websites

Easy WP SMTP plugin gets a lot of attention these days due to zero-day (0-day) vulnerability disclosed recently. Why it gets so much ...

Coinhive closing

Coinhive closes – hackers will lose their favorite tool of exploitation

Coinhive development team published a blog post about the discontinuation of Coinhive system. Yes, the same Coinhive that we talked about ...

Leave a Reply

Your email address will not be published. Required fields are marked *