WordPress Flaws and Vulnerabilities

W3 Total Cache Vulnerable to XSS – High Risk

Blog WordPress Flaws and Vulnerabilities W3 Total Cache Vulnerable to XSS – High Risk
12 comments

W3 Total Cache aka W3TC is a famous caching plugin, created on 2009 by Frederick Townes. W3TC is known by everyone in the WordPress community and it’s a recommended plugin, it’s always in the top 5 caching plugins, always in good posts about performance, and even in books.

W3TC and Durability

Few months ago, on Marth 2016, Frederick has to post an explanation on WPTavern saying that his plugin was not abandoned, I personally think that if you need to post this, your plugin is already abandoned. At the moment of this post, the code of the plugin has not been updated since one year, and the support has not been done by the author itself. Only users helping each others, which is cool.

W3TC and Web Security

Like every plugin, an author can encounter some security issues, usually reported respecting a non disclose clause from the security consultant or team. As you browse all the changelogs, you can see how many security issues has been fixed during the last years, which is also cool.

But today W3TC is vulnerable to a XSS flaw, high risk rated. So, what’s next? Who will fix the issue in the repository? You may know (or not) that this plugin exists on github and has been patched, but nobody can update the one from the repository.

It means that almost everyone won’t update it and will keep the XSS risk in their administration area, which is really really bad.

W3TC and Adoption

WordPress plugins can be adopted, an author can add the keyword adopt-me and then give the plugin to anyone. But in our case the author doesn’t seems to respond and/or won’t give it’s plugin since, a premium version exists, still with no support, no public communication …

So usually we can ask to WordPress plugin team to adopt a plugin if the author does not answer to any message. And badly for this one they don’t want to let someone adopt it, you can read the answer from the WP.org team on the github repo.

W3TC and the Vulnerability

The vulnerability has been reported by Zerial. Let me explain it quickly:

w3tc-support-page

This page contains a support form, this page can be reach directly using a URL with params, then the params will fill the form.

Guess what, the params are not escaped when printed on the page, leading to an XSS vulnerability, simple as this.

Example of XSS URL to be avoided: https://example.com/wp-admin/admin.php?page=w3tc_support&request_type=bug_report&request_id=PAYLOAD

Then replace PAYLOAD with a malicious code.

D.R.E.A.D. SCORE

Here at WP Media we use the DREAD Scoring system to get the criticality of a vulnerability, let’s do this for this one, rated on 5 x 10 points:

Damage – How bad would an attack be?
Once done, you could add any JS/HTML injection code into the back-end of an admin WP area, then writing things, adding iframes, JS files, sending private data, security tokens, cookies.
Well i guess all of that at least.

10/10

Reproducibility – How easy is it to reproduce the attack?
A simple link with a raw JS/HTML code to be injected, no other skill required.
8/10

Exploitability – How much work is it to launch the attack?
Hide the link in a bit.ly like service, ask the admin to click. done.
Add an iframe with the forged link as HREF, ask admin to visit the page. done.
The “most difficult” part is finding the admin. But if you target a website, i guess you know who is it, you know the target, you know the admin.
8/10

Affected users – How many people will be impacted?
All and only admins.

4/10

Discoverability – How easy is it to discover the threat?
It’s full public now with no patch

10/10

Final DREAD Score
40/50

Ratings
Very Low (≤ 10)
Low (≤ 20)
Serious (≤ 30)
High (≤ 40)
Very High (≤ 50)

This XSS is rated HIGH RISK.

W3TC and Updates

I would like to say “Stay updated!” but I can’t. Samuel Woods told me that the author promises to update the plugin soon, “in a reasonable time frame” which is subjective. Waiting for this update, all people using W3TC today can be the target of this XSS attack.

How to avoid to be a target? The simplest way is to always disconnect your admin account, just use an author or editor one.

You can also choose another solution to improve the speed of your website.

We recommend you a plugin updated often, with a good and quick support. Free or premium, just remember that trying to avoid spending $40 for a plugin that will cost you more because of the vulnerabilities, the lack of support or updates is not a so good idea finally.

We, at WP Media, created WP Rocket, used by 120,000 websites, supported by a dedicated team. I’ll let you search for reviews and comparisons, I don’t want to tell you “we’re the best”, I’ll let that for our awesome users.

W3TC in the Future

What to think about this vulnerability, what to think about the next one, because you may now that when a vulnerability is discovered in a product, security consultant will try to find more, and there will be blood.

Edit 09/26/2016: The plugin has been updated to 0.9.5, fixing this vulnerability.

Do you still want to use this plugin? Tell us why in the comments.

12 comments

Well, here are my 2 cents. AFAIK, to access that page you need to be logged in as an user with “manage_options” capability right? If a malicious user is logged in with that role in your dashboard, an XSS attack wouldn’t be the major issue you have LOL

Of course, the vulnerability exists and IMO the best alternative would be to just disable access to this page via web server, since basically people seems to ignore bug reports after all.

@Tiago Hillebrandt – XSS exploits aren’t about someone logging in to your site and then crafting a link like that. They are about sending a link like that to someone who has admin rights to a site, and *them* clicking on the link. It’s called social engineering, it’s a targeted attack, and it depends on the fact that many people never log out of their WordPress sites.

@tiago Hello, thank for your opinion. The flaw is not designed to be used directly by the attacker, or you are right, the XSS is not the major issue.
But like @Michael (Hello Michael!) just said, it’s about forcing someone to do something, here we use a special link.
Being able to load the page then print custom values is an XSS and also a kind of CSRF: using someone else’s rights to perform a task you won’t be able to.
If you stay logged in with your admin account (like 95% of people using WordPress?), you can be the target just by clicking on a link you thought clean.
Am I clear enough Tiago? Don’t hesitate to ask more help, I’ll be glad to explain again 🙂

In one of my sites I use wp rocket and in other w3 total cache. Thank you for
the information.

That issue is already fixed in the forked community version though.
https://github.com/szepeviktor/fix-w3tc/pull/81

Thanks for bringing this issue into the spotlight.

We can’t keep track of all the plugins that have vulnerabilities and whose authors abandoned them but W3TC is a biggie and we use it on most of our personal and client websites.

I’ve liked the granularity in configuring w3tc but frankly it’s a little TOO much optionality.

I think I’ll give WPRocket a shot, thanks for the recommendation – got an aff link for us? 🙂

QUICK FIX:

FTP to your site and rename (or delete)

wp-content/plugins/w3-total-cache/inc/options/support/form.php

Nice tips. Thank you

Looks like you guys spoke a bit too soon…W3TC was just updated to the latest version today lol.

Because I didn’t believe in ghosts, now, I do 😉

It seems like a few cache plugins either have malicious code in them, have vulnerabilities, or have scripts that cause your browser to hang up. I tried 2 directly from the plugin repository a few days ago, and FireFox kept telling me that it couldn’t handle a script. When I copied the url of the script it went to a site that didn’t make sense. This was a red flag for me, and I ditched those plugins altogether.

Hello @James, can you name the plugins here? If they contain vulnerabilities, we have to warn the plugins team. Thank you!

Leave a Reply