The security team at Sucuri has issued an advisory for WordPress users who have the WP Super Cache plugin activated on their sites. The popular caching plugin contains a dangerous persistent XSS vulnerability that was promptly patched in its 1.4.4 release.
Sucuri ranks the risk as “Dangerous” with a DREAD score of 8/10. Exploiting the vulnerability is relatively easy for an attacker intent on injecting a backdoor. Sucuri breaks down the technical details of the threat as follows:
Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually.
When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.
WP Super Cache is currently in use on more than a million WordPress sites, according to WordPress.org. If someone is looking to exploit the vulnerability in particular, there would be no shortage of sites to prey upon.
In the recent defacement attacks propagated by ISIL sympathists against WordPress sites, hackers have been capitalizing on the recent vulnerability found in the Fancy Box for WordPress plugin. With just 100,000+ active installations, potentially vulnerably Fancy Box plugin users come in at a small fraction of those affected by the WP Super Cache security issue.
Short of forcing an automatic plugin update on users, WordPress.org has no way of indicating that one particular plugin update may be more imperative than other routine updates. That’s why the best practice for site administrators is to keep tabs on your installations and set aside time to update extensions as part of your routine. If you’re using WP Super Cache, you are advised to update as soon as possible.