W3 Total Cache < 0.9.5 – Authenticated Arbitrary PHP Code Execution | Plugin Vulnerabilities

Description

This one is so mush easy to exploit using the import settings feature, this is what W3TC will do one your file is uploaded:
**********
/**
* Imports config content
*
* @param string $filename
* @return boolean
*/
function import($filename) {
if (file_exists($filename) && is_readable($filename)) {
$data = file_get_contents($filename);
if (substr($data, 0, 5) == '<?php')
$data = substr($data, 5);

$config = eval($data);

if (is_array($config)) {
foreach ($config as $key => $value)
$this->set($key, $value);

return true;
}
}

return false;
}
**********
The bad line is $config = eval($data); because it means that all my file content will be evaluated like any other PHP code. Basically we can send a PHP script that will create a backdoor.

Affects Plugins

Fixed in 0.9.5

References

URL

https://secupress.me/blog/4-new-security-flaws-w3-total-cache-0-9-4-1/

Classification

Type

RCE

OWASP top 10

CWE

Miscellaneous

Submitter

SecuPress

Submitter website

https://secupress.me

Submitter twitter

Verified

No

WPVDB ID

752fc738-496f-44fd-9ca6-24e29ef8e75e

Timeline

Publicly Published

2016-09-26 (about 9 years ago)

Added

2016-09-26 (about 9 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2023-12-15

Title

Duplicator < 1.3.0 - Unauthenticated RCE

Published

2024-06-19

Title

Custom Field Suite <= 2.6.7 - Contributor+ PHP Code Injection via Loop Custom Field

Published

2025-08-03

Title

Javo Core <= 3.0.0.266 - Unauthenticated Remote Code Execution

Published

2025-06-09

Title

Widget Logic < 6.0.6 - Contributor+ Remote Code Execution

Published

2018-12-10

Title

WooCommerce <= 3.4.5 - Authenticated Phar Deserialization