It has come to our attention, via the fine efforts of a number of WordPress users and aficionados, that there is a serious vulnerability present in old versions of two WordPress Caching Plugins – WP Super Cache (any versions before 1.3) and W3 Total Cache (any versions before 0.9.2.9).
The vulnerability allows remote users to, amongst other things, post php code in a comment on a page. The code is then processed when the cached page is loaded; therefore it allows PHP code injection, without any form of authentication required at all.
Although there are instances where this would not affect you, even if you had vulnerable versions of either plugin installed (if you’re using a third party comment program, such as Disqus, or the plugins are not enabled, for instance), we strongly recommend that anybody who has either or both of these plugins installed in any WordPress instance should update them immediately, or remove them if they’re not being used.
The latest versions of both plugins have been successfully patched and tested and are safe to use.
There are a lot of articles online relating to the finer points of this vulnerability – there is an excellent ‘post mortem’ article to be found here.
We are currently in the process of scanning all domains across our hosting platforms and notifying vulnerable clients if we discover old versions present in their webspace. If you’re hosted with us and you’re not sure if you’re safe or not – regardless of whether you have heard from us, you can contact us via email or call us on 0800 033 7074 if you want to discuss the matter further.