The WP-Super-Cache plugin has a cross-site scripting (XSS) vulnerability which could enable the attacker to gain a full access and control of the compromised website.
What Is WP-Super-Cache for?
The WP-Super-Cache is a plugin that “generates static html files from your dynamic WordPress blog. After an html file is generated, your webserver will serve that file instead of processing the comparatively heavier and more expensive WordPress PHP scripts.”
99% of your visitors will be served static html files, and those who are not – will still benefit because they will be able to see cached files although they might be a little lower quality. In addition, the plugin will take care of your website’s front page appearance on various social networking websites.
So far, the WP-Super-Cache has:
- Over 1 million installations
- Over 7 million downloads
- Over 4,000 daily downloads
The Glitch – Cross-Site Scripting (XSS) Vulnerability
Sucuri, a security service company detecting unauthorized changes to websites, DNS, Whois, SSL and others, reported a remotely exploitable vulnerability to the plugin developers. They, on the other hand, just released the 1.4.4 version which promises to have repaired the problem.
According to Sucuri, the vulnerability is with 8 out of 10 severity score. And, although the new repaired version is released, there are still users who use previous builds containing the glitch and thus are an easy target for attackers.
The glitch includes adding a new admin account to the website, and is caused by improper sanitization of the user information.