April 10, 2015
Bug Time ! WP-Super-Cache Plugin
If you use the WP-Super-Cache plugin, you need to update to at least v 1.4.4, now !
Researchers have discovered a vulnerability ranked as “Dangerous” for this widely used WordPress Plugin.
According to wordpress.com this plugin is in use by over 2.5million websites, so that’s a massive potential audience for any would-be criminals attempting to exploit this vulnerability.
The issue lies in the way in which the plugin displays the data from within its cache. By using a specially crafted header and URL combination, it is possible to circumvent WordPress security and gain access to the site.
Sucuri released this statement:
Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually.
When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.
So, the word is. update, update, and keep updated.
We have reported other vulnerabilities in WordPress too, so please check these too, and make sure you update !
If you need any help with this or any other aspect of your website, please get in touch now.