WP Media is reporting a high risk XSS vulnerability in W3 Total Cache that the company learned about from El Rincón de Zerial’s security blog. The plugin is currently active on more than one million WordPress sites.
This particular vulnerability is found within the plugin’s support form that is embedded in the admin, according to WP Media’s description:
This page can be reach directly using a URL with params, then the params will fill the form.
The params are not escaped when printed on the page, leading to an XSS vulnerability.
Example of XSS URL to be avoided: https://example.com/wp-admin/admin.php?page=w3tc_support&request_type=bug_report&request_id=PAYLOAD
Then replace PAYLOAD with a malicious code.
According to Zerial, in order to exploit the vulnerability, an administrator or user with sufficient permissions must have an active session.
Because the threat is already public with no patch available, the vulnerability’s DREAD score ranks it as High Risk. It’s also easily exploitable and could potentially give an attacker the ability to inject code into the admin area and gain access to security tokens, cookies, and private data.
W3 Total Cache was updated six months ago with a fix for two security issues. The last major update, 0.9.4, was released in 2014. After many users began to wonder if the plugin was abandoned, we spoke with author Frederick Townes in March to learn the status of W3 Total Cache. His said that development and other operations have been ongoing and that his team is working towards leaving officially beta and moving towards a 1.0 release. No major updates have been issued and Townes’ company blog has remained silent.
At this point, the only option users have is to disable the plugin or use an account with author or editor permissions instead of the administrator account. The plugin’s author has been contacted about the vulnerability but there is no security update available via WordPress.org yet.