W3 Total Cache Plugin – XSS Vulnerability 9/23/2016

W3 Total Cache is an optimization plugin for WordPress which will cache pages and posts and speed up the website. On September 23rd, 2016 it was announced a new Cross Site Scripting vulnerability, commonly known as an “XSS Vulnerability.”

As of 8 pm CDT on September 23rd, 2016, there is no fix/patch available. Your only option currently is to disable the plugin! The last update was about six months ago for version

Update 9/26/2016: W3 Total Cache released version 0.9.5 to fix the exploit (and other items).  Update your W3 Total Cache from here.

What is W3 Total Cache?

W3 Total Cache is active on more than 1 million WordPress websites. It touts itself as being the only WordPress Performance Optimization (WPO) framework that is designed to improve the overall user experience and page speed.

At its heart, it claims to improve speeds by up to 10 times by compressing files and images and can reduce file sizes by up to 80%. It takes a copy of a page and stores it so that when a user visits a page in WordPress, instead of having to make queries to the database to retrieve information, it has a “ready to go” page that was accessed by another user, and it’s that page that is served to the new user.

Web Hosting companies love it as it reduces overall server performance. It uses less memory and costs less bandwidth, which allows web hosting companies can cram more users on a single server. Since it has such a benefit for web hosting companies, they actively promote the software to their users, and as a result, it has made the plugin very popular with users.

What is a Cross-Site Scripting Vulnerability? (XSS Exploit)

The Cross-site scripting (XSS) exploit or vulnerability enables a hacker to inject a script into a web page. Often the exploits are used by hackers to bypass pages that would otherwise be secure, and many times allow a hacker to gain administrative access to a website. Once they have administration access, they are then able to upload other hacking files or virus files to exploit the website further.

In 2015 it was reported that up to 43% of all websites on the internet were susceptible to an XSS attack. The numbers fluctuate as it will depend on the software used on a website and how fast the makers of the software release an update.

What is in the W3 Total Cache XSS Vulnerability?

We learned of the hack through a posting at where they referenced a posting on a security blog by El Rincón de Zerial.

Unfortunately, he has documented the exploit on his website and provided a “how-to” guide to performing the exploit. Many white hat or ethical hackers will report the vulnerability privately to the makers of the software or plugin, however, by documenting the exploit publicly on his website, he has opened the door for every “script kiddie” to try their hand at hacking a website.

What Can You Do To Protect Yourself?

Since the exploit is publicly posted, it is being classified as a High-Risk Exploit and needs to be monitored by all website owners.

If you use W3 Total Cache on your WordPress site, we strongly recommend that you disable the plugin until a fix has been released by the authors of the plugin. As always, we also recommend making a backup of your website to protect yourself should your site become exploited by someone.

Contact Big Red SEO – (402) 522-6468

Big Red SEO handles many cases of investigating and resolving website hacked websites. We also offer monthly maintenance plans for websites owners so that they don’t have to watch for security alerts, and it allows our team to take quick action on a site to keep things secure.

Contact Big Red SEO today if you have any questions regarding website security or are interested in one of our maintenance plans. We also provide full website audits not only from a security end of things, but we provide SEO Website Audits and Design Website Audits to ensure that you’re getting the maximum exposure of your website to your intended audience.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email
Check Out These Other Articles

An Internet Marketing Company Talks Business Websites

Whether you’ve just started a business and want an SEO-friendly website to go with it, or you’ve been in the game for a while but you’re not ranking very well in Google and you’re thinking your website could be better, you’re in luck! Here at Big Red SEO, a web design and internet marketing company in Omaha, we specialize in

More Tips to Optimize Your Google AdWords Campaign

Imagine your Google AdWords campaign as a house. Is it mapped out correctly, with floors and stairs and doors and windows all logically placed to ensure that everything has a purpose? Or is yours more like a funhouse, with bathtubs on the ceiling and stairways leading to dead ends? If the structure of your AdWords house doesn’t make sense to

The Key(words) to Optimizing Your Business Pages

Today, we’re going to look at some SEO techniques many implemented in the past and ways you can use pieces of them, essentially enhancing them on a “work smarter, not harder” scale. As Omaha SEO experts, here at Big Red SEO, we’re are all about evolving to serve customer needs and interest. Our ultimate goal is to help your business

Close Menu