Security Flaw Found in WordPress W3 Total Cache Plugin


Researcher Jason A. Donenfeld recently uncovered a security flaw in the W3 Total Cache (W3TC) plugin for WordPress.

"W3 Total Cache speeds up web sites that use the WordPress content management system by caching site content, speeding up page loads, and downloads," writes TechEye's Nick Farrell. "It has more than 1.39 million users and can be seen in many sites like and"

"The problem stems from the way W3TC stores the database cache," writes Threatpost's Christopher Brook. "Since the plugin stores the cache similarly for each site, if a directory listing is left enabled, anyone can freely browse and download them. Anyone could harvest the site’s database cache keys 'and extract ones containing sensitive information, such as password hashes,' according to Donenfeld’s post."

"There is, however, some good news," writes Ghacks Technology News' Alan. "In a post to Full Disclosure Donenfeld stated that W3 Edge, the company behind this plugin, is working on an update to close the security hole. In the meantime, those using this plugin on their blogs may want to consider temporarily disabling it while they wait for an update."