A security researcher has announced a serious vulnerability in the default configuration of a popular WordPress plugin.
According to Jason Donenfield in this Full Disclosure list, claims the WordPress plugin “W3 Total Cache”, which boasts high-traffic sites like Mashable and Lockergnome among its users, has serious vulnerabilities.
In the default setup, when users simply choose “add plugin” from the WordPress catalogue leaves cache directory listings enabled, according to Donenfield.
He said this allows database cache keys to be downloaded on vulnerable installations and that could expose password hashes. “A simple google search of “inurl:wp-content/plugins/w3tc/dbcache” and maybe some other magic reveals this wasn’t just an issue for me”, he writes.
The search term was later amended by Donenfield to “inurl:wp-content/w3tc”.
“Even with directory listings off,” he continues, “cache files are by default publicly downloadable, and the key values / file name of the database cache items are easily predictable.”
Donenfield says the developer of the plug-in intends to release a fix “soon”. In the meantime, he notes that “deny from all” should be set in the .htaccess file.