W3 Total Cache Plugin – XSS Vulnerability 9/23/2016

W3 Total Cache is an optimization plugin for WordPress which will cache pages and posts and speed up the website. On September 23rd, 2016 it was announced a new Cross Site Scripting vulnerability, commonly known as an “XSS Vulnerability.”

As of 8 pm CDT on September 23rd, 2016, there is no fix/patch available. Your only option currently is to disable the plugin! The last update was about six months ago for version

Update 9/26/2016: W3 Total Cache released version 0.9.5 to fix the exploit (and other items).  Update your W3 Total Cache from here.

What is W3 Total Cache?

W3 Total Cache is active on more than 1 million WordPress websites. It touts itself as being the only WordPress Performance Optimization (WPO) framework that is designed to improve the overall user experience and page speed.

At its heart, it claims to improve speeds by up to 10 times by compressing files and images and can reduce file sizes by up to 80%. It takes a copy of a page and stores it so that when a user visits a page in WordPress, instead of having to make queries to the database to retrieve information, it has a “ready to go” page that was accessed by another user, and it’s that page that is served to the new user.

Web Hosting companies love it as it reduces overall server performance. It uses less memory and costs less bandwidth, which allows web hosting companies can cram more users on a single server. Since it has such a benefit for web hosting companies, they actively promote the software to their users, and as a result, it has made the plugin very popular with users.

What is a Cross-Site Scripting Vulnerability? (XSS Exploit)

The Cross-site scripting (XSS) exploit or vulnerability enables a hacker to inject a script into a web page. Often the exploits are used by hackers to bypass pages that would otherwise be secure, and many times allow a hacker to gain administrative access to a website. Once they have administration access, they are then able to upload other hacking files or virus files to exploit the website further.

In 2015 it was reported that up to 43% of all websites on the internet were susceptible to an XSS attack. The numbers fluctuate as it will depend on the software used on a website and how fast the makers of the software release an update.

What is in the W3 Total Cache XSS Vulnerability?

We learned of the hack through a posting at where they referenced a posting on a security blog by El Rincón de Zerial.

Unfortunately, he has documented the exploit on his website and provided a “how-to” guide to performing the exploit. Many white hat or ethical hackers will report the vulnerability privately to the makers of the software or plugin, however, by documenting the exploit publicly on his website, he has opened the door for every “script kiddie” to try their hand at hacking a website.

What Can You Do To Protect Yourself?

Since the exploit is publicly posted, it is being classified as a High-Risk Exploit and needs to be monitored by all website owners.

If you use W3 Total Cache on your WordPress site, we strongly recommend that you disable the plugin until a fix has been released by the authors of the plugin. As always, we also recommend making a backup of your website to protect yourself should your site become exploited by someone.

Contact Big Red SEO – (402) 522-6468

Big Red SEO handles many cases of investigating and resolving website hacked websites. We also offer monthly maintenance plans for websites owners so that they don’t have to watch for security alerts, and it allows our team to take quick action on a site to keep things secure.

Contact Big Red SEO today if you have any questions regarding website security or are interested in one of our maintenance plans. We also provide full website audits not only from a security end of things, but we provide SEO Website Audits and Design Website Audits to ensure that you’re getting the maximum exposure of your website to your intended audience.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email
Check Out These Other Articles

SEO Article Writing 101 by Big Red SEO

Many people are highly intimidated by the thought of article writing. The majority of people didn’t like writing essays in school and fear that article writing is the same thing. At Big Red SEO, we can deliver good news in telling you that article writing is actually very achievable. The key to successfully writing an article or managing blog content

SEO Link Building No-No’s in a Post-Penguin World

If you read our post about Google Panda and Penguin, then you’ll remember that one of the goals of these search engine updates was to punish black-hat SEO. In this post, Big Red SEO listed a few black-hat SEO practices you should avoid, but we didn’t do very much explaining past that. So, today we’re going to enlighten you. As

Big Red SEO Discusses What Google Trends Do for Your SEO

You know when you are making a website and trying to think of the best keywords to use, but you don’t know if your keywords are accurate enough to get traffic from possible customers? Google Trends along with the Keyword Planner are great tools to use to enhance the SEO for your company. The way Google Trends works is you