W3 Total Cache 0.9.5 Packages XSS Vulnerability Patch with Major Update


W3 Total Cache 0.9.5 was released early this morning, the first major update to the plugin since 2014. Users were expecting a security release after an XSS vulnerability was reported in the plugin last week but were surprised to find the release is packed full of new features.

In addition to the patch for the vulnerability, 0.9.5 introduces support for Opcode Cache, Redis, fragment caching, and improved PHP 7 compatibility. The release adds support for Google Drive, Amazon S3-compatible storage services, PECL memcached, srcset elements, Rackspace CDN Origin Pull, and minification of external fonts. It improves WP CLI support and nginx compatibility. The plugin also now uses the latest APIs for Cloudflare, AWS, and Rackspace Cloud Files. Those are a few of the highlights, but the changelog includes a full list of all the new features and bug fixes.

Many users are reporting in the support forums that the update crashed their sites. Some are discouraging others from updating, warning that the “latest update has even more bugs than the previous version.” At the time of publication, seven users marked the 0.9.5 update as working and 33 users marked it as broken on the plugin’s description page.

According to the release post, Frederick Townes shipped 0.9.5 with the promise of a follow-up release, knowing that it contains bugs. He encouraged users to test the update in a staging area before pushing it live:

This release has some cosmetic bugs in the latest version of WordPress, but our test suite shows that core functionality is working as intended. Having said that, I’m sure there are other bugs and bumps in the upgrade process – we’d love to learn about those, so we can push a follow-up release. Thanks in advance for reporting any issues you find. Hopefully, you find them in a staging area and not in your production site.

The post gave no indication that the release was beta tested by users, and it seems oddly timed with the security update. Any user who wants to update to get the security fix will have to take on this major update and any bugs/issues that come with it.

A fragment of W3 Total Cache users has split off and is maintaining a community-driven fork of the plugin called Fix W3TC. Its maintainers aim to continuously incorporate fixes, improvements, and enhancements over the official WordPress release of W3 Total Cache. The project currently has seven contributors on GitHub but getting updates is confusing for the average WordPress user.

Many of the fixes included in the 0.9.5 release were already available in the community-supported fork. Prior to the update, the maintainers of the fork were in the process of requesting to adopt W3 Total Cache, as it appeared abandoned after two years of no major updates. Since the original author has not formally abandoned it, their request was denied. The maintainers are now considering publishing the plugin to WordPress.org to make it easier to update, as regular releases and communication from Frederick Townes have been sporadic and unreliable.


6 responses to “W3 Total Cache 0.9.5 Packages XSS Vulnerability Patch with Major Update”

  1. This update gave me white screens of death on 6 of 86 sites I applied it to. There are many, many similar reports on WordPerfect support forums. I rolled back to version on my 6 crashed sites.

    No response from author yet on above crash reports.

  2. Super … glad they’re fixable. In my six sites with crashes, no new plug-ins were installed so these conflicts apparently didn’t exist with version

    I’m looking forward to an updated version as I love this plug-in!

  3. Thanfully, no issues on the sites we manage with the latest update. Although we have patched the vulnerability manually, I was very glad to learn that the plugin is not dead and the author plans on maintaining it :)

  4. The update in 0.9.5 resulted in problems with my multi-site install. I have a sub-directory install, and while trying to upload the theme files and wp-include files for the subdirectory site, I kept noticing it was only uploading to the root directories, not my multi-site directory path, plus the other directories (wp-content and wp-includes).

    I had to roll back to in order for my multi-site sites to work.

    Very disappointing.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.