WordPress cache plugins enabled remote PHP execution
The popular WordPress caching plugins WP Super Cache and W3 Total Cache, with around six million downloads between them, have both been found to have a vulnerability that allows remote users to use them to execute arbitrary PHP on the server. Cache plugins are designed to relieve the load on WordPress sites by saving the latest versions of pages in memory and serving the saved version to users from memory rather than regenerating them. Versions 1.2 and below of WP Super Cache and version 0.9.2.8 and below of W3 Total Cache are affected by the problem. Users should update to the latest WP Super Cache (1.3.1) and W3 Total Cache (0.9.2.9) to ensure they are not vulnerable.
The problems were first reported on WordPress's forums over month ago. Updates were released around a week ago to address the problem. A blog post explained how the vulnerability functioned, using HTML comments in comments. An attacker could comment on a message with PHP code embedded in a comment and once the comment was submitted, the first refresh of the page would expose the page's content to a dynamic snippet parser which would execute the PHP in the page. Disabling dynamic snippets by default can mitigate the problem, but it is simple to just update to the fixed plugins.
(djwm)