The WP Super Cache plugin is a very popular plugin used by over one million sites. This week was reported by Sucuri that site using this plugin could be susceptible to a cross-site scripting (XXS) vulnerability that would allow an attacker to inject a backdoor or even add a new admin user. This could be potentially very dangerous for your site & content. Luckily a new update of th eplug has been release with a patch to fix this issue. If you are using the WP Super Cache plugin, make sure it is updated to the newest version, 1.4.4. AS of this week, Sucuri has listed the security risk as “dangerous;”, meaning that is “very easy” to remotely exploit, giving it an 8 out of 10 DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability) score.
An attacker could leverage the vulnerability and use a query to inject scripts into the plugin’s cached file listing page, according to Marc-Alexandre Montpas, a researcher with Sucuri, who described the issue in a blog post Tuesday morning.
WP Super Cache is generally used to optimize WP sites by converting dynamically generated pages into static HTML files that are then served to visitors. This can be reduce server resource and bandwidth consumption. However, replacing PHP-generated pages with static, cached copies has its downfalls. The biggest one is that whenever there are changes to a page, the corresponding cached file needs to be regenerated. This is a free plugin and generally delivers a decent performance boost and reduces the load on a server.
As we always recommend our clients, users would be advised to make sure that they are using the most recent version of the CMS, as well as making sure that their plugins are all updated to the latest version.