secuvera-SA-2014-01: Reflected XSS in W3 Total Cache Affected Products W3 Total Cache 0.9.4 (older releases have not been tested) "The only WordPress Performance Optimization (WPO) framework; designed to improve user experience and page speed. (..) W3 Total Cache improves the user experience of your site by increasing server performance, reducing the download times and providing transparent content delivery network (CDN) integration." References https://wordpress.org/plugins/w3-total-cache/ https://www.secuvera.de/advisories/secuvera-SA-2014-01.txt https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8724 Summary: If the option "Page cache debug info" is enabled, W3 Total Cache adds some HTML-Comments including the "Cache key" which is the URL itself. The URL is just reflected without any output encoding. Effect: An attacker could include clientside Scriptcode in a request, which will be reflected by the application. Using some social engineering an attacker would be able to compromise users of the application. Vulnerable Scripts: Debug Function Examples: https://$victim/nothing--<script>alert("XSS")</script> Solution: Install bug fix release. Always make sure to disable debug function in productive environments. Disclosure Timeline: 2014/09/17 vendor contacted via https://www.w3-edge.com/contact/ 2014/10/07 vendor reacted including a first patch preview 2014/10/14 notified vendor the patch does not address the issue 2014/10/24 vendor sent a second patch preview 2014/12/10 vendor published 0.9.4.1 release 2014/12/16 public disclosure Credits: Tobias Glemser, secuvera GmbH tglemser@secuvera.de https://www.secuvera.de Disclaimer: All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore secuvera shall not be liable for any direct or indirect damages that might be caused by using this information.