A vulnerability was recently discovered in two of the most popular caching plugins that allowed the execution of arbitrary PHP code added to blog comments. Both W3 Total Cache and WP Super Cache have released updated versions that fix the problem. Users of these plugins should update to the most recent versions as soon as possible.
Many WordPress sites make use of caching plugins to reduce the amount of time that pages take to load. Without caching, a WordPress site creates every page on the fly, processing PHP code and making calls to the database. Caching plugins reduce the amount of time visitors have to wait by keeping a ready-made version of the page in memory or on the disk and serving that static version. Caching can provide an orders-of-magnitude decrease in page load times.
However, sometimes it is desirable to allow certain portions of pages to be dynamically created while the rest of the page is cached and static. WordPress provides a facility to embed these dynamic snippets using the MFUNC fragment.
WordPress also allows for the embedding of a limited range of HTML tags in user’s comments so that they can style their text.
Unfortunately, the combination of these two facilities allowed for the inclusion of arbitrary PHP code within comments. If a malicious user were to add PHP code using the MFUNC fragment within HTML comments in a comment made on a WordPress post or page, the input was not properly sanitized before reaching the WordPress core and the PHP code was executed on the server. Allowing the execution of arbitrary code is a huge security vulnerability.
WordPress sites using either W3 Total Cache older then version 1.3, or WP Total Cache older than version 0.9.2.9 are vulnerable. The developers of both plugins have released updates to remove HTML comments from within user submitted comments, and Donncha O Caoimh, the creator of WP Super Cache, plans to disable the MFUNC functionality by default in the next release.
The vulnerability was discovered by Frank Gossens, who reported it to the developers of the plugins before disclosing the vulnerability on the WordPress support forums. He also wrote an explanation of the exploit on his blog.