Security

Security update: W3 Total Cache WordPress plugin

Reclaim Hosting

Reclaim Hosting

1 min read
Security update: W3 Total Cache WordPress plugin
Photo by Adi Goldstein / Unsplash

A vulnerability of a common Wordpress plugin has been identified. In this post we link to more information and what to do next.

Details to date

According to this post on the National Vulnerability Database maintained by NIST, "the W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post."

WPScan provides further info, showing how this vulnerability "allows unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post." And RCE Security further explains the risk this poses.

Next steps

We have performed preliminary patching across our infrastructure, but we request that end users ensure the W3 Total Cache plugin is updated on any WordPress instance on which they have installed the plugin. Additionally, the installation of a security plugin, such as WordFence, would be beneficial to help keep WordPress instances secure.

Stay Vigilant

Your domain is the foundation of your online presence; protect it like the valuable asset it is. If you receive any further concerns about this plug-in, feel free to send them to our support team and we'll be happy to help.


Read more