The popular WordPress performance plugin W3 Total Cache – which is currently used by tens of thousands of websites from all over the world – has been found to expose sensitive information if it’s not configured correctly.
The researcher who has identified this issue, Jason Donenfeld, explains that users frequently deploy the plugin incorrectly. By installing it from the “add plugin” section, two attack vectors automatically appear.
“Directory listings were enabled on the cache directory, which means anyone could easily recursively download all the database cache keys, and extract ones containing sensitive information, such as password hashes,” Donenfeld wrote
on Full Disclosure.
The expert found that a simple Google search exposes a lot of websites.
Furthermore, he says that even with the directory listings turned off, cache files are publicly downloadable by default and the file names of the database cache items are easily predictable.
To demonstrate his findings, the researcher published a proof-of-concept software. As a solution to this problem, the expert advises users to tweak their .htaccess file to deny access to database cache files.
Shortly after making his findings public, Donenfeld had a chat with the author of W3 Total Cache who promised
to release a fix for the issue.