Persistent XSS Vulnerability Discovered in WP Super Cache Plugin

wp-super-cache

The security team at Sucuri has issued an advisory for WordPress users who have the WP Super Cache plugin activated on their sites. The popular caching plugin contains a dangerous persistent XSS vulnerability that was promptly patched in its 1.4.4 release.

Sucuri ranks the risk as “Dangerous” with a DREAD score of 8/10. Exploiting the vulnerability is relatively easy for an attacker intent on injecting a backdoor. Sucuri breaks down the technical details of the threat as follows:

Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually.

When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.

WP Super Cache is currently in use on more than a million WordPress sites, according to WordPress.org. If someone is looking to exploit the vulnerability in particular, there would be no shortage of sites to prey upon.

In the recent defacement attacks propagated by ISIL sympathists against WordPress sites, hackers have been capitalizing on the recent vulnerability found in the Fancy Box for WordPress plugin. With just 100,000+ active installations, potentially vulnerably Fancy Box plugin users come in at a small fraction of those affected by the WP Super Cache security issue.

Short of forcing an automatic plugin update on users, WordPress.org has no way of indicating that one particular plugin update may be more imperative than other routine updates. That’s why the best practice for site administrators is to keep tabs on your installations and set aside time to update extensions as part of your routine. If you’re using WP Super Cache, you are advised to update as soon as possible.

8 Comments


  1. I am one of million users using the plugin. I deactivated it by now and waiting for their next update.

    Thank you for the heads up..

    Report


    1. The update is already available, you should see a notification for it in the backend of WordPress. Double check which version you’re using. If it’s 1.4.3 or higher, you’re ok.

      Report


    2. FYI – Deactivating a plugin doesn’t render it invulnerable, and it can likely still be exploited. Remove it or update it to be safe.

      Report


  2. Wouldn’t it be better if the article at the end said…

    If you’re using WP Super Cache, you are advised to update immediately

    instead of

    If you’re using WP Super Cache, you are advised to update as soon as possible

    Report


  3. This may need more inspection. I have 1 site that is (was) using WP SuperCache 1.4.4 and I was still finding the cache was getting injected with junk if not closely monitored.

    Report


  4. I am also using WP Super Cache. I believe most secure codes can be hacked. But it is good vulnerability was found and fixed. But I don’t think this is the end.

    Report

Comments are closed.