Millions of WordPress sites (including sites hosted by Savvii) use the caching plugin W3TotalCache to improve loading time. It has been a public secret for some months that the plugin is not actively maintained anymore. For example, support for PHP 7 is missing though this is possible by changing a few lines of code. Not very good news to put it mildly, but now something more serious has come up. A XSS vulnerability has been found in the plugin, making it insecure.
This XSS vulnerability makes it possible to alter the content and design of your website. This is done by entering a command in an input field in the feedback form in the plugin. Luckily, this can only be exploited by a user with administrator rights.
XSS vulnerabilities are regularly found in WordPress plugins, but these normally get patched before the exploit method is made public. This is the reason we don’t write a blogpost for all vulnerabilities in plugins. This case is different because the plugin is one of the most popular plugins and because the exploit is already public. Looking at recent history a patch is not expected anytime soon.
By coincidence we have tested several W3TotalCache alternatives. In the case you need a caching plugin you now have two serious options:
- WP Rocket
You can buy this plugin with a discount trough our Savvii Deals. We have warm contacts with the makers of this plugin.
- WP Super Cache
This plugin is built and maintained by automattic, the big company behind WordPress.
The other option is just relying on the Savvii Varnish caching.
We always state that updating core and plugins is a cornerstone of good security. That is not possible in this case but please keep it in mind for all other plugins and WordPress core.
Update 1 – 26-9-2016:
W3TotalCache has released version 0.9.5. This version solves the XSS vulnerability. In addition, W3TotalCache states that ‘compatibility for PHP 7 has improved’. We did not have the time to test this yet but we will keep you up to date. Please update W3TC to the latest version or remove it from your websites.
Update 2 – 26-9-2016:
W3TotalCache has made a lot of changes in 0.9.5. In many cases this leads to errors or sites breaking. We strongly advise you to test the new version locally or in a test environment before applying it on your live website(s). Of course, it still is a very good option to switch caching plugins.