WordPress caching plugins PHP code execution
Description
Two widely-used WordPress caching plugins, WP Super Cache (versions prior to 1.3) and W3 Total Cache (versions prior to 0.9.2.9), contain a critical vulnerability that allows attackers to execute arbitrary PHP code. The vulnerability stems from improper handling of dynamic content snippets embedded within specially-crafted HTML comment tags in cached pages. When these malicious comments are processed by the caching engine, the embedded PHP code is interpreted and executed on the server.
Remediation
Immediately update the affected caching plugins to secure versions: WP Super Cache to version 1.3 or later, and W3 Total Cache to version 0.9.2.9 or later. To remediate:
1. Log into the WordPress admin dashboard
2. Navigate to Plugins → Installed Plugins
3. Locate WP Super Cache and/or W3 Total Cache
4. Click 'Update Now' if an update is available
5. After updating, clear all cached content through the plugin settings
6. Review server logs for any suspicious activity or unauthorized file modifications that may have occurred prior to patching
7. If the plugins cannot be updated immediately, consider temporarily disabling them until the update can be applied
For administrators managing multiple WordPress installations, use WP-CLI or similar tools to automate the update process across all sites.