Insecure Wordpress Cache Plugin Renders Sensitive Data Vulnerable

wordpress logo

WordPress users beware!  Researcher Jason A. Donenfeld discovered a vulnerability in a popular WordPress plugin, W3 Total Cache, which is described as a “performance framework” that speeds up sites, speeds up page load, downloads and other important tasks in a website.

Donenfeld stated that he discovered the vulnerability while helping his brother stationed at Amundsen-Scott South Pole Station in Antarctica to troubleshoot his personal blog.

“They only get a satellite passing overhead a couple times a day, so he needed some help with performance. I was poking around and found this directory issue,” he told Security Ledger in a phone conversation.

He stated that by simply installing W3 Total Cache could potentially leave sensitive information exposed and ready for the picking.  The plugin enables a cache directory listing feature on the cache directory, which stores cached content, which means “anyone could easily recursively download all the database cache keys and extract ones containing sensitive information, such as password hashes,” Donenfeld wrote.

This is Donenfeld’s findings of the vulnerability:

“When I set it up by going to the WordPress panel and choosing “add plugin” and
selecting the plugin from the WordPress Plugin Catalog (or whatever),
it left two avenues of attack open:

“1) Directory listings were enabled on the cache directory, which means
anyone could easily recursively download all the database cache keys,
and extract ones containing sensitive information, such as password
hashes. A simple google search of
“inurl:wp-content/plugins/w3tc/dbcache” and maybe some other magic
reveals this wasn’t just an issue for me. As W3 Total Cache already
futzes with the .htaccess file, I see no reason for it not to add
“Options -Indexes” to it upon installation. I haven’t read any W3
documentation, so it’s possible this is a known and documented
misconfiguration, but maybe not.

“2) Even with directory listings off, cache files are by default
publicly downloadable, and the key values / file names of the database
cache items are easily predictable. Again, it seems odd that “deny
from all” isn’t added to the .htaccess file. Maybe it’s documented
somewhere that you should secure your directories, or maybe it isn’t;
I’m not sure.”

But Donenfeld stated that it is more of a configuration error rather than a vulnerability and suggests W3 Total Cache users to disable the “database cache” and “object cache” options, and flush any existing caches created with W3 Total Cache to take care of the situation for the mean time or until W3 Edge officially addresses the issue at hand.