Everybody likes cache. Specifically, caching plugins like WP Super Cache and W3TC which help WordPress sites load faster by serving up static HTML versions of pages instead of dynamically loading them each time. And we know everybody loves them because they have been downloaded almost 6 million times. That’s a lot of cache.
BUT. Turns out? There’s a bit of a problem. According to Tony Perez, half of WordPress security Top Dawgs Sucuri:
two of the biggest caching plugins in WordPress have what we would classify a very serious vulnerability – remote code execution (RCE), a.k.a., arbitrary code execution
Tony goes on to demonstrate how on sites running either plugin, a line (any line) of php code in the comments section would actually execute. As in, run. As in, that’s totally not supposed to happen.
The plugin authors responded fairly quickly to the news and released plugins with a fix.
So! If you happen to have either of those plugins installed, get the lead out. Update. Now.
When you’re done you can go back to wondering how these two mega-plugins BOTH missed such a considerably large hole in their code.