Fork me on Github
Fork me on Github

Joe Dog Software

Proudly serving the Internets since 1999

up arrow WordPress Vulnerability: wp-super-cache

spaghetti-codeWhenever someone says “PHP sucks!” Your JoeDog assumes they got that impression from WordPress. It uses inline programming tags that mix logic with content. Whenever you do that, the result is always a nice heaping mound of spaghetti code.

PHP doesn’t have to be coded this way. The there are plenty of nice frameworks which support model-view-controller. Your JoeDog uses WordPress because he likes it as a blogging platform. He blogs on this site more often than he codes it; a cost-benefit analysis leads him to WordPress.

He also opens himself to vulnerabilities. Oh, look! Here’s another one now: Persistent XSS in WP-Super-Cache. Your JoeDog uses that module. What’s wrong with it?

Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually.

Fortunately, the fix is already out. If you’re also using wp-super-cache, make sure you’re running version 1.1.4. This is a dangerous vulnerability which is easy to exploit. Get up to date or get out of the game.

NOTE: Your JoeDog considers PHP a rather elegant language. It’s many bad implementations and design decisions that make it seem like Suck.