WordPress W3 Total Cache plugin predictable cache filenames - Vulnerability Database

WordPress W3 Total Cache plugin predictable cache filenames

Description

The W3 Total Cache plugin for WordPress contains a predictable cache filename vulnerability when database caching to disk is enabled. If the web server has directory listing enabled or the wp-content/w3tc/dbcache/ directory is web-accessible, attackers can predict cache file names and directly access their contents without authentication. This occurs because the plugin generates cache filenames using predictable patterns that can be easily guessed or enumerated.

Remediation

Immediately upgrade the W3 Total Cache plugin to version 0.9.2.5 or later, which addresses this vulnerability. After upgrading, verify that directory listing is disabled on your web server for the wp-content/w3tc/dbcache/ directory. Add or verify the following configuration:

For Apache, ensure a .htaccess file exists in wp-content/w3tc/dbcache/ with:

Options -Indexes
Order allow,deny
Deny from all

For Nginx, add to your server configuration:

location ~* ^/wp-content/w3tc/dbcache/ {
    deny all;
}

Additionally, review your cache files for any previously exposed sensitive data and rotate credentials if necessary. Consider using alternative caching methods such as memory-based caching (Redis, Memcached) which do not write sensitive data to web-accessible directories.