A persistent cross-site scripting (XSS) vulnerability exists in some versions of a popular WordPress caching engine plugin. The issue – since fixed – exposes vulnerable sites to takeover. From there, attackers could inject malicious scripts, backdoors and so forth.
The plugin, WP Super Cache, has been installed more than one million times, according to statistics on WordPress’ plugin directory.
An attacker could leverage the vulnerability and use a query to inject scripts into the plugin’s cached file listing page, according to Marc-Alexandre Montpas, a researcher with Sucuri, who described the issue in a blog post Tuesday morning.
Some conditions do have to be in place for the attack to be carried out however.
“As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually,” Montpas writes.
This means the attacker would have to get the blog owner to visit the cache listing page to actually trigger the XSS.
Montpas found the issue, which stems from the way the plugin displays information stored in its cache file key, while going through an audit for one of Sucuri’s own pieces of software. The information stored in the plugin’s key isn’t sanitized and since that information is used by the plugin to determine which cache file is loaded, an attacker could use it to insert malicious scripts on the page.
The vulnerability was patched by its author, Donncha Ó Caoimh, a software developer at Automattic, in version 1.4.3 of the plugin over the weekend.
After releasing 1.4.3, Ó Caoimh was actually forced to release a second update of the plugin (1.4.4) to address a separate bug, where queries with GET parameters were causing fatal errors, that surfaced in the preceding patch. A fix for that issue was committed after it was reported via a user on WordPress.org’s forums.
Both Montpas and Ó Caoimh are encouraging users running older versions of the plugin to upgrade them as soon as possible.