WP Super Cache XSS Vulnerability

This is a public service announcement for all WordPress users. In case you missed it, Sucuri has issued a security advisory on their blog two days ago for a persistent cross-site scripting (XSS) vulnerability affecting one of the popular WordPress caching plugins – WP Super Cache.

From the Sucuri blog:

Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually.

When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.

Sucuri has given this threat a Dread Score of 8/10 making this persistent XSS vulnerability a very dangerous risk for any WordPress site using a vulnerable version of WP Super Cache. Aside from that, the exploitation level for this vulnerability is considered Very Easy which means this vulnerability is easy to perform and the attacker can use this to inject a back door or insert malicious scripts, add a new user with admin rights, modify WordPress theme files or practically anything an admin user can do from within the dashboard.

The latest version of WP Super Cache, version 1.4.4 contains a patch for this vulnerability as well as another important bug fix. If your website or blog is using an outdated and vulnerable version, please don’t delay and update it immediately!

Hats off to Marc-Alexandre Montpas of Sucuri for discovering the vulnerability and to the plugin author, Donncha Ó Caoimh for quickly addressing the security issues and releasing the patched version.

You can download the latest version – WP Super Cache 1.4.4 from the official WordPress plugin repository

JaypeeOnline is supported by its audience. When you click on the advertisements or purchase through links on our site, we may earn an affiliate commission. Learn more



Owner and editor of JaypeeOnline. Self-proclaimed geek. New media writer and consultant. WordPress advocate. Loves blogging, gadgets, video games and sports. You can follow him on Facebook or Twitter.


  • Ade, April 15, 2015 @ 12:40 PM

    For a moment, I panicked. Thought I was still on WP Super Cache, totally forgot I switched to W3C ages ago!

    • JP Habaradas, April 15, 2015 @ 1:37 PM

      Hehe so did you login to your WP dashboard to check? Btw, you commented as “Adea” so I edited it for you. :D

      • Ade, April 15, 2015 @ 2:09 PM

        Thanks for fixing the name! And yeah, I hurriedly checked my plugins, hahaha!

        • JP Habaradas, April 15, 2015 @ 5:52 PM

          You’re most welcome! Better safe than sorry though, right? Hehe Btw, thanks for stopping by. :)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.