ALERT: WP Super Cache Persistent XSS Vulnerability



WP Super Cache XSS Vulnerability

This is a public service announcement for all WordPress users. In case you missed it, Sucuri has issued a security advisory on their blog two days ago for a persistent cross-site scripting (XSS) vulnerability affecting one of the popular WordPress caching plugins – WP Super Cache.

From the Sucuri blog:

Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually.

When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.

Sucuri has given this threat a Dread Score of 8/10 making this persistent XSS vulnerability a very dangerous risk for any WordPress site using a vulnerable version of WP Super Cache. Aside from that, the exploitation level for this vulnerability is considered Very Easy which means this vulnerability is easy to perform and the attacker can use this to inject a back door or insert malicious scripts, add a new user with admin rights, modify WordPress theme files or practically anything an admin user can do from within the dashboard.

The latest version of WP Super Cache, version 1.4.4 contains a patch for this vulnerability as well as another important bug fix. If your website or blog is using an outdated and vulnerable version, please don’t delay and update immediately!

Hats off to Marc-Alexandre Montpas of Sucuri for discovering the vulnerability and to the plugin author, Donncha Ó Caoimh for quickly addressing the security issues and releasing the patched version.

You can download the latest version – WP Super Cache 1.4.4 from the official WordPress plugin repository

Owner and editor of JaypeeOnline. Self-proclaimed geek. New media writer and consultant. WordPress advocate. Loves blogging, gadgets, video games and sports. You can follow him on Google+, Facebook or Twitter.

4 Comments

  1. Ade

    April 15, 2015 at 12:40 PM

    For a moment, I panicked. Thought I was still on WP Super Cache, totally forgot I switched to W3C ages ago!

    • JP Habaradas

      April 15, 2015 at 1:37 PM

      Hehe so did you login to your WP dashboard to check? Btw, you commented as “Adea” so I edited it for you. :D

      • Ade

        April 15, 2015 at 2:09 PM

        Thanks for fixing the name! And yeah, I hurriedly checked my plugins, hahaha!

        • JP Habaradas

          April 15, 2015 at 5:52 PM

          You’re most welcome! Better safe than sorry though, right? Hehe Btw, thanks for stopping by. :)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.