Threat caution!

XSS vulnerability detected in W3 Total Cache WordPress plugin

XSS vulnerability found in W3 Total Cache plugin disturbed WordPress community quite hard. W3 Total Cache was and still is one of the most famous and popular caching plugins for WordPress. It has more than one million active installs according to the plugin repository data. Despite the high degree of recognition and quite impressive statistics, there is some bad news.

About six months ago Scott Tuchman complained about the poor support of W3 Total Cache plugin in one of the WordPress related Facebook groups. The main argument was a seven-month period in which author released none updates. Later, in a few days, WP Tavern published blog post “Frederick Townes Confirms W3 Total Cache is Not Abandoned”. It was a massive relief for all W3 Total Cache plugin users, but now W3 gets another punch.

XSS vulnerability

A few days ago (21 Sep 2016) Fernando A. Lagos Berardi aka Zerial found and reported Cross-Site Scripting (XSS) vulnerability found in W3 Total Cache plugin. Vulnerability discovered in W3 Total Cache Admin (performance menu)SupportAdd new ticket page. According to Fernando (Zerial) vulnerability could be exploited if there is an active session of admin user or other users with sufficient permissions. A patched version of the plugin is already available on Github for a few days. But only today (26 Sep 2016) an official W3 Total Cache plugin update was released on plugin repository. Changelog of the latest W3 Total Cache plugin version says that XSS vulnerability fixed. So we highly recommend you to update your W3 Total Cache plugin as soon as possible. Please update the plugin to the latest available version (at least version 0.9.5).

Problems with such popular plugins like W3 makes a tremendous impact on all WordPress community and its trust. We hope to see fewer incidents of such high-risk level related to the most popular WordPress plugins. Don’t forget to keep your software up to date. Keep it safe!

WordPress vulnerabilities database records

Darius S.

Similar Posts

CIA triad - information security

CIA triad in the WordPress and WooCommerce security perspective

CIA triad is an abbreviation for confidentiality, integrity, and availability. The CIA triad is considered to be the basis for all ...

ThreatPress API keys

WordPress Vulnerabilities Database and SiteScan premium API key offer for everyone

Recently, we received a few queries related to our services, specifically WordPress Vulnerabilities Database and SiteScan website scanner. ...

WordPress 5.0 to 5.0.1

WordPress 5.0 and its vulnerabilities found in the first week of release

The long awaited WordPress version 5.0 has finally become available from the 2018 December 6. Some users waited for this version with ...

Leave a Reply

Your email address will not be published. Required fields are marked *