Security Flaw Found in WordPress W3 Total Cache Plugin
W3 Edge is working on an update to patch the vulnerability.
"W3 Total Cache speeds up web sites that use the WordPress content management system by caching site content, speeding up page loads, and downloads," writes TechEye's Nick Farrell. "It has more than 1.39 million users and can be seen in many sites like mashable.com and smashingmagazine.com."
"The problem stems from the way W3TC stores the database cache," writes Threatpost's Christopher Brook. "Since the plugin stores the cache similarly for each site, if a directory listing is left enabled, anyone can freely browse and download them. Anyone could harvest the site’s database cache keys 'and extract ones containing sensitive information, such as password hashes,' according to Donenfeld’s post."
"There is, however, some good news," writes Ghacks Technology News' Alan. "In a post to Full Disclosure Donenfeld stated that W3 Edge, the company behind this plugin, is working on an update to close the security hole. In the meantime, those using this plugin on their blogs may want to consider temporarily disabling it while they wait for an update."