W3 Total Cache Plugin – XSS Vulnerability 9/23/2016
W3 Total Cache is an optimization plugin for WordPress which will cache pages and posts and speed up the website. On September 23rd, 2016 it was announced a new Cross Site Scripting vulnerability, commonly known as an “XSS Vulnerability.”
As of 8 pm CDT on September 23rd, 2016,
there is no fix/patch available. Your only option currently is to disable the plugin! The last update was about six months ago for version 0.9.4.1.
Update 9/26/2016: W3 Total Cache released version 0.9.5 to fix the exploit (and other items). Update your W3 Total Cache from here.
What is W3 Total Cache?
W3 Total Cache is active on more than 1 million WordPress websites. It touts itself as being the only WordPress Performance Optimization (WPO) framework that is designed to improve the overall user experience and page speed.
At its heart, it claims to improve speeds by up to 10 times by compressing files and images and can reduce file sizes by up to 80%. It takes a copy of a page and stores it so that when a user visits a page in WordPress, instead of having to make queries to the database to retrieve information, it has a “ready to go” page that was accessed by another user, and it’s that page that is served to the new user.
Web Hosting companies love it as it reduces overall server performance. It uses less memory and costs less bandwidth, which allows web hosting companies can cram more users on a single server. Since it has such a benefit for web hosting companies, they actively promote the software to their users, and as a result, it has made the plugin very popular with users.
What is a Cross-Site Scripting Vulnerability? (XSS Exploit)
The Cross-site scripting (XSS) exploit or vulnerability enables a hacker to inject a script into a web page. Often the exploits are used by hackers to bypass pages that would otherwise be secure, and many times allow a hacker to gain administrative access to a website. Once they have administration access, they are then able to upload other hacking files or virus files to exploit the website further.
In 2015 it was reported that up to 43% of all websites on the internet were susceptible to an XSS attack. The numbers fluctuate as it will depend on the software used on a website and how fast the makers of the software release an update.
What is in the W3 Total Cache XSS Vulnerability?
Unfortunately, he has documented the exploit on his website and provided a “how-to” guide to performing the exploit. Many white hat or ethical hackers will report the vulnerability privately to the makers of the software or plugin, however, by documenting the exploit publicly on his website, he has opened the door for every “script kiddie” to try their hand at hacking a website.
What Can You Do To Protect Yourself?
Since the exploit is publicly posted, it is being classified as a High-Risk Exploit and needs to be monitored by all website owners.
If you use W3 Total Cache on your WordPress site, we strongly recommend that you disable the plugin until a fix has been released by the authors of the plugin. As always, we also recommend making a backup of your website to protect yourself should your site become exploited by someone.
Contact Big Red SEO – (402) 522-6468
Big Red SEO handles many cases of investigating and resolving website hacked websites. We also offer monthly maintenance plans for websites owners so that they don’t have to watch for security alerts, and it allows our team to take quick action on a site to keep things secure.
Contact Big Red SEO today if you have any questions regarding website security or are interested in one of our maintenance plans. We also provide full website audits not only from a security end of things, but we provide SEO Website Audits and Design Website Audits to ensure that you’re getting the maximum exposure of your website to your intended audience.