W3 Total Cache < 0.9.5 – Unauthenticated Security Token Bypass

Description

The /pub/apc.php file is used to empty the OPCache/APC. The script seems protected by a nonce (aka security token):
***********
$nonce = W3_Request::get_string('nonce');
$uri = $_SERVER['REQUEST_URI'];

if (wp_hash($uri) == $nonce) {
************

But the flaw stays in the == operator which is not the one to use when you want to compare hashes because of php type juggling.

You can find an example of type juggling on https://3v4l.org/tT4l8

To exploit the vulnerability, the token has to start with `0e` and all other chars have to be numbers, then the user can just add a param in the url like `?nonce=0` and it will be validated.

Proof of Concept

http://example.com/wp-content/plugins/w3-total-cache/pub/apc.php?nonce=0&command=reload_files

Affects Plugins

w3-total-cache

Fixed in 0.9.5

References

URL

https://secupress.me/blog/4-new-security-flaws-w3-total-cache-0-9-4-1/

Miscellaneous

Submitter

SecuPress

Submitter website

https://secupress.me

Submitter twitter

secupress

Verified

WPVDB ID

3b66bd46-b266-4f3b-ae74-823586e73ebd

Timeline

Publicly Published

2016-09-26 (about 9 years ago)

Added

2016-09-26 (about 9 years ago)

Last Updated

2026-04-13 (about 1 month ago)

Other

Published

Title

Published

2015-02-03

Title

UpdraftPlus <= 1.9.50 - Privilege Escalation via Nonce Leakage

Published

2019-01-16

Title

Social Network Tabs - Social Media API Key Leakage

Published

2026-02-06

Title

Advanced Country Blocker <= 2.3.1 - Unauthenticated Authorization Bypass

Published

2024-07-08

Title

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) < 1.5.113 - IP Address Spoofing to Antispam Bypass

Published

2016-05-06

Title

Yoast SEO <= 3.2.4 - Subscriber Settings Sensitive Data Exposure