W3 Total Cache Plugin – XSS Vulnerability 9/23/2016

W3 Total Cache is an optimization plugin for WordPress which will cache pages and posts and speed up the website. On September 23rd, 2016 it was announced a new Cross Site Scripting vulnerability, commonly known as an “XSS Vulnerability.”

As of 8 pm CDT on September 23rd, 2016, there is no fix/patch available. Your only option currently is to disable the plugin! The last update was about six months ago for version

Update 9/26/2016: W3 Total Cache released version 0.9.5 to fix the exploit (and other items).  Update your W3 Total Cache from here.

What is W3 Total Cache?

W3 Total Cache is active on more than 1 million WordPress websites. It touts itself as being the only WordPress Performance Optimization (WPO) framework that is designed to improve the overall user experience and page speed.

At its heart, it claims to improve speeds by up to 10 times by compressing files and images and can reduce file sizes by up to 80%. It takes a copy of a page and stores it so that when a user visits a page in WordPress, instead of having to make queries to the database to retrieve information, it has a “ready to go” page that was accessed by another user, and it’s that page that is served to the new user.

Web Hosting companies love it as it reduces overall server performance. It uses less memory and costs less bandwidth, which allows web hosting companies can cram more users on a single server. Since it has such a benefit for web hosting companies, they actively promote the software to their users, and as a result, it has made the plugin very popular with users.

What is a Cross-Site Scripting Vulnerability? (XSS Exploit)

The Cross-site scripting (XSS) exploit or vulnerability enables a hacker to inject a script into a web page. Often the exploits are used by hackers to bypass pages that would otherwise be secure, and many times allow a hacker to gain administrative access to a website. Once they have administration access, they are then able to upload other hacking files or virus files to exploit the website further.

In 2015 it was reported that up to 43% of all websites on the internet were susceptible to an XSS attack. The numbers fluctuate as it will depend on the software used on a website and how fast the makers of the software release an update.

What is in the W3 Total Cache XSS Vulnerability?

We learned of the hack through a posting at where they referenced a posting on a security blog by El Rincón de Zerial.

Unfortunately, he has documented the exploit on his website and provided a “how-to” guide to performing the exploit. Many white hat or ethical hackers will report the vulnerability privately to the makers of the software or plugin, however, by documenting the exploit publicly on his website, he has opened the door for every “script kiddie” to try their hand at hacking a website.

What Can You Do To Protect Yourself?

Since the exploit is publicly posted, it is being classified as a High-Risk Exploit and needs to be monitored by all website owners.

If you use W3 Total Cache on your WordPress site, we strongly recommend that you disable the plugin until a fix has been released by the authors of the plugin. As always, we also recommend making a backup of your website to protect yourself should your site become exploited by someone.

Contact Big Red SEO – (402) 522-6468

Big Red SEO handles many cases of investigating and resolving website hacked websites. We also offer monthly maintenance plans for websites owners so that they don’t have to watch for security alerts, and it allows our team to take quick action on a site to keep things secure.

Contact Big Red SEO today if you have any questions regarding website security or are interested in one of our maintenance plans. We also provide full website audits not only from a security end of things, but we provide SEO Website Audits and Design Website Audits to ensure that you’re getting the maximum exposure of your website to your intended audience.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email
Check Out These Other Articles

The 3 Biggest Local SEO Search Challenges

Most businesses understand the significant competitive advantage that ranking highly in Google for relevant local search terms can provide. However, for the majority of Omaha businesses, there’s a major disconnect between that understanding and their actual local SEO efforts. It wasn’t that long ago when ranking for local search terms was fairly easy. Since most businesses weren’t doing any optimization

Into Our Evernote: 6 Killer Resources for SEO and Digital Marketing

Some of our SEO clients are learners. They like knowing what’s going on and what they’re investing in. Others need resources for continued learning after we’ve given them a head start with our super-duper awesome Search Engine Optimization Services that you should check out if you haven’t already. Whether you’re a current or future customer, a competitor or a partner,

Why Big Red SEO Thinks Starting a Blog for Your Business is a Good Idea

No matter what your business is, establishing and maintaining an open dialogue with your potential customers is an important step to building their confidence in your product. While there are many ways to do this, starting up a blog devoted to answering customer questions and talking about the newest trends in your industry is a surefire way to show your

Close Menu