Industry News

Caching Plugin Poses Serious Security Threat for Large WordPress Sites

A severe bug that allows access to users’ password hashes has been discovered in a third-party plugin for the highly popular WordPress content management system. The flaw resides in the W3 Total Cache plugin, an extension that helps high-traffic increase their performance by caching static pages, among others.

According to SecLists poster Jason Donenfield, the W3 Total Cache folder allows directory listings in its default configuration. This allows anyone to take a peek at the the contents of the /wp-content/w3tc folder and look for anything they may find interesting – in this case, cache files that hold usernames and their corresponding hashed passwords.

“Even with directory listings off, cache files are by default publicly downloadable, and the key values / file names of the database cache items are easily predictable. Again, it seems odd that ‘deny from all’ isn’t added to the .htaccess file. Maybe it’s documented somewhere that you should secure your directories, or maybe it isn’t; I’m not sure,” wrote Donenfield.

Lucky thing is that WordPress uses “salting”, a cryptographic process that adds random data to the user password before hashing it, so it can never be guessed by bruteforcing the hash. On the other side though, as this plugin is intended mostly for high-traffic sites, an attacker could collect a large number of usernames for spear phishing attacks, for instance.

Before an official fix becomes available from the plugin vendor, W3 Total Cache plugin users should deny access to the database cache files by adding a “deny from all” directive in the .htaccess file.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.