Is there any way to get the WordPress community involved in actually
handling security issues properly? E.g. requesting CVE's, or heck,
I'll settle for being notified via email directly. I found out about
this stuff on Reddit (linked to Tony Perez's blog posting) so I read
the code and voila:
http://wordpress.org/extend/plugins/w3-total-cache/
+* Improved security for mfunc, now disabled by default and requires
security string in order to execute
+ if (!defined('W3TC_DYNAMIC_SECURITY'))
+ return;
+ $buffer = preg_replace_callback('~<!--\s*mfunc\s*' .
W3TC_DYNAMIC_SECURITY . '(.*)-->(.*)<!--\s*/mfunc\s*' .
W3TC_DYNAMIC_SECURITY . '\s*-->~Uis', array(
Please use CVE-2013-2010 for this issue.
- --
Kurt Seifried Red Hat Security Response Team (SRT)