WP-Super-Cache vulnerability potentially leaves 1 million+ websites exposed

WordPress is a popular open source blogging platform that has been much maligned in security circles. Having run a WordPress site now for years I can safely attest that it is no small feat to lock one down. The problem is further complicated by the use of plugins. I have been guilty of using far too many plugins in the past. My site would crawl as a result. Even now with a thinned down plugin list there is always the problem that these are code that you’re introducing into your site from a third party.

So, who wrote that code? Is it a free plugin? Did you pay for it? How confident are you in the security of that code?

*crickets*

I was afraid of that.

The problem that came to light today is in a WordPress plugin called WP-Super-Cache written by Donncha Ó Caoimh, who works as a software developer at Automattic. OK, what does the WP-Super-Cache plugin do? Well, from the plugin page they have this to say, “This plugin generates static html files from your dynamic WordPress blog. After a html file is generated your webserver will serve that file instead of processing the comparatively heavier and more expensive WordPress PHP scripts.”

Seems simple enough. So, what exactly is the problem? There is a problem wherein a persistent XSS vulnerability exists. According to the WP-Super-Cache plugin page on WordPress.org it appears that this plugin is used on in excess of 1 million sites. Hmm, this is ugly.

The plugin works on WordPress sites up to, and including, version 4.1.1. So, what is the risk here? Well, the folks a Sucuri announced that this morning.

From Sucuri:

Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually.

When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.

That’s a pain. Well, the inevitable question is “what is to be done?” First off do not head to the bunker or eat your neighbors. There is a fix available for the problem already. Version 1.4.4 is available for WP-Super-Cache which fixes this persistent XSS issue.

It is fairly simple to upgrade the plugin. In your WordPress administrator panel select “Plugins” and the click on the heading “Update available”. This will list all of the associated plugins that have updates available. Pretty simple. Select the WP-Super-Cache plugin and set the “Action” drop down at the top of the page to “Update” and away it goes.

Then, if all has gone according to plan you should have a fresh install.

Get your patch on, now!