W3 Total Cache Plugin – XSS Vulnerability 9/23/2016

W3 Total Cache is an optimization plugin for WordPress which will cache pages and posts and speed up the website. On September 23rd, 2016 it was announced a new Cross Site Scripting vulnerability, commonly known as an “XSS Vulnerability.”

As of 8 pm CDT on September 23rd, 2016, there is no fix/patch available. Your only option currently is to disable the plugin! The last update was about six months ago for version

Update 9/26/2016: W3 Total Cache released version 0.9.5 to fix the exploit (and other items).  Update your W3 Total Cache from here.

What is W3 Total Cache?

W3 Total Cache is active on more than 1 million WordPress websites. It touts itself as being the only WordPress Performance Optimization (WPO) framework that is designed to improve the overall user experience and page speed.

At its heart, it claims to improve speeds by up to 10 times by compressing files and images and can reduce file sizes by up to 80%. It takes a copy of a page and stores it so that when a user visits a page in WordPress, instead of having to make queries to the database to retrieve information, it has a “ready to go” page that was accessed by another user, and it’s that page that is served to the new user.

Web Hosting companies love it as it reduces overall server performance. It uses less memory and costs less bandwidth, which allows web hosting companies can cram more users on a single server. Since it has such a benefit for web hosting companies, they actively promote the software to their users, and as a result, it has made the plugin very popular with users.

What is a Cross-Site Scripting Vulnerability? (XSS Exploit)

The Cross-site scripting (XSS) exploit or vulnerability enables a hacker to inject a script into a web page. Often the exploits are used by hackers to bypass pages that would otherwise be secure, and many times allow a hacker to gain administrative access to a website. Once they have administration access, they are then able to upload other hacking files or virus files to exploit the website further.

In 2015 it was reported that up to 43% of all websites on the internet were susceptible to an XSS attack. The numbers fluctuate as it will depend on the software used on a website and how fast the makers of the software release an update.

What is in the W3 Total Cache XSS Vulnerability?

We learned of the hack through a posting at where they referenced a posting on a security blog by El Rincón de Zerial.

Unfortunately, he has documented the exploit on his website and provided a “how-to” guide to performing the exploit. Many white hat or ethical hackers will report the vulnerability privately to the makers of the software or plugin, however, by documenting the exploit publicly on his website, he has opened the door for every “script kiddie” to try their hand at hacking a website.

What Can You Do To Protect Yourself?

Since the exploit is publicly posted, it is being classified as a High-Risk Exploit and needs to be monitored by all website owners.

If you use W3 Total Cache on your WordPress site, we strongly recommend that you disable the plugin until a fix has been released by the authors of the plugin. As always, we also recommend making a backup of your website to protect yourself should your site become exploited by someone.

Contact Big Red SEO – (402) 522-6468

Big Red SEO handles many cases of investigating and resolving website hacked websites. We also offer monthly maintenance plans for websites owners so that they don’t have to watch for security alerts, and it allows our team to take quick action on a site to keep things secure.

Contact Big Red SEO today if you have any questions regarding website security or are interested in one of our maintenance plans. We also provide full website audits not only from a security end of things, but we provide SEO Website Audits and Design Website Audits to ensure that you’re getting the maximum exposure of your website to your intended audience.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email
Check Out These Other Articles

How to Get More Customers & Shares with Infographics

At Big Red SEO, we try to stay on top of digital marketing trends, so that we can in turn leverage our knowledge to improve our clients’ businesses. Today we’re going to share with you one trend that’s taken the Internet by storm over the past six months – infographics. In case you don’t know, an infographic is exactly what

Google: Is it the Best or Worst thing for SEO?

At Big Red SEO we believe knowledge is power, so often you will hear us discuss Google’s practices and how good or bad they are for internet marketing, and more specifically for SEO. Google has many rules for the websites they support through their search engine. They have their rules down to a science, literally, using algorithms to control which

Is “Hidden Text” Bad for Omaha Search Engine Optimization?

Here at Big Red SEO, our ultimate goal is to teach our website visitors, prospects, and clients all things internet marketing. We strive to help people who are new to SEO understand the value of following the industry’s best practices. In addition, we love explaining how internet marketing can help your overall return on investment (ROI) online. Today, our search

Close Menu