Is there any way to get the WordPress community involved in actually
handling security issues properly? E.g. requesting CVE's, or heck,
I'll settle for being notified via email directly. I found out about
this stuff on Reddit (linked to Tony Perez's blog posting) so I read
the code and voila:

http://wordpress.org/extend/plugins/w3-total-cache/

+* Improved security for mfunc, now disabled by default and requires
security string in order to execute

+        if (!defined('W3TC_DYNAMIC_SECURITY'))
+            return;
+        $buffer = preg_replace_callback('~<!--\s*mfunc\s*' .
W3TC_DYNAMIC_SECURITY . '(.*)-->(.*)<!--\s*/mfunc\s*' .
W3TC_DYNAMIC_SECURITY . '\s*-->~Uis', array(

Please use CVE-2013-2010 for this issue.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)