Time to Update: Vulnerability Found in WP Super Cache WordPress Plugin
Do you have a WordPress website?
Double-check to see if you’re using the WP Super Cache plugin, and if you are, make sure that it’s the latest version (which at the time of writing is 1.4.4).
Sucuri researchers warn that WordPress sites running earlier versions of the popular WP Super Cache plugin are vulnerable to attack thanks to a persistent cross site scripting bug within the plugin that could allow an attacker to inject malicious code into the site.
Marc-Alexandre Montpas took to the Sucuri blog to explain the dangers of the XSS bug in detail:
Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually.
When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.
Update the WP Super Cache Plugin ASAP!
WordPress site owners that have the WP Super Cache plugin installed are urged to update to the latest version ASAP. The vulnerability has been patched in version 1.4.4.