Important Security Update for WP Super Cache and W3TC

Just a month ago, a very serious security issue was discovered with two of the most popular caching plugins for WordPress – WP Super Cache and W3 Total Cache. They allow users to execute custom code via the comment form of your blog.

In order to test if your blog is vulnerable to the issue, you can simply paste the following code:

<!–mfunc echo PHP_VERSION; –><!–/mfunc–>

as a comment to any of your posts. If you don’t see anything, you are safe. However, if you see something in the lines of: 5.2.17, then you are in trouble.

Seeing 5.2.17 means that anyone can execute PHP code on your account, bypassing any logins and authentications. This basically means that someone can take over your WordPress website, or even your hosting account.

Note: if you use a custom comments solution, like Disqus, then you are safe and you don’t have to worry.

There are also updates for WP Super Cache and W3TC that address the issue. If you use them, you should go ahead and update as soon as possible.

If you wish to change your caching plugin altogether, you can consider Quick Cache or Hyper Cache.

This was first reported in the WordPress forums over a month ago. Recently Tony Perez of Sucuri blogged about the issue in order to generate more awareness.