A severe bug that allows access to usersâ€™ password hashes has been discovered in a third-party plugin for the highly popular WordPress content management system. The flaw resides in the W3 Total Cache plugin, an extension that helps high-traffic increase their performance by caching static pages, among others.
According to SecLists poster Jason Donenfield, the W3 Total Cache folder allows directory listings in its default configuration. This allows anyone to take a peek at the the contents of the /wp-content/w3tc folder and look for anything they may find interesting â€“ in this case, cache files that hold usernames and their corresponding hashed passwords.
â€œEven with directory listings off, cache files are by default publicly downloadable, and the key values / file names of the database cache items are easily predictable. Again, it seems odd that â€˜deny from allâ€™ isn’t added to the .htaccess file. Maybe it’s documented somewhere that you should secure your directories, or maybe it isn’t; I’m not sure,â€ wrote Donenfield.
Lucky thing is that WordPress uses â€œsaltingâ€, a cryptographic process that adds random data to the user password before hashing it, so it can never be guessed by bruteforcing the hash. On the other side though, as this plugin is intended mostly for high-traffic sites, an attacker could collect a large number of usernames for spear phishing attacks, for instance.
Before an official fix becomes available from the plugin vendor, W3 Total Cache plugin users should deny access to the database cache files by adding a â€œdeny from allâ€ directive in the .htaccess file.