Remote Code Execution Vulnerability Disclosed It appears that a user by the name of kisscsaby first disclosed the issue a month ago via the WordPress forums. As of 5 days ago both plugin authors have pushed new versions of their plugins disabling the vulnerable functions by default. The real concern however is the seriousness of the vulnerability and the shear volume of users between both plugins. There are a few posts, released within the past few hours that do a great job of explaining what the issue was and what was being exploited. Two very popular WordPress caching plugins: WP Super Cache (4,373,811 downloads) and W3 Total Cache (1,975,480 downloads) have been affected by a vulnerability that allows remote users to execute arbitrary PHP code. The affected versions are: WP Super Cache (version 1.2 and below, version 1.3.x and up are OK) W3 Total Cache (version 0.9.2.8 and below, version 0.9.2.9 is OK) Both plugins support dynamic content on the page. You can mark parts of the page as dynamic and these will not be cached. Currently there are three tags that can be used to create dynamic snippets. You can find more information about this on the WP Super Cache FAQ page. 1 . dynamic-cached-content <!--dynamic-cached-content--><?php include_once ( ABSPATH . '/scripts/adverts.php' ); print_sidebar_ad(); do_more_stuff(); ?><!-- include_once ( ABSPATH . '/scripts/adverts.php' ); print_sidebar_ad(); do_more_stuff(); --><!--/dynamic-cached-content--> PHP: This code will include the file adverts.php and will execute the functions "print_sidebar_ad()" and "do_more_stuff()". 2 . mfunc <!--mfunc function_name( 'parameter' , 'another_parameter' ) --> <?php function_name( 'parameter' , 'another_parameter' ) ?> <!--/mfunc--> PHP: This code will execute the function "function_name()". 3 . mclude <!--mclude file.php--> <?php include_once ( ABSPATH . 'file.php' ); ?> <!--/mclude--> PHP: This code will include file.php under the ABSPATH directory. The problem is that these tags are HTML comments, and WordPress does not filter them. At the same time, these tags are being interpreted and causing code to be executed on the server. To exploit this vulnerability somebody just has to post a comment containing any of the special tags mentioned above. For example, if somebody posts the comment <!--mfunc eval(base64_decode(cGhwaW5mbygpOyAg)); --><!--/mfunc-->, this comment will be ignored by WordPress (because it's a HTML comment) but parsed and executed by the caching plugin that will return a page showing a phpinfo() page. This is a very dangerous vulnerability. Over 6 million WordPress installations could potentially be vulnerable. It is therefore absolutely essential that the vulnerable versions of these plugins are upgraded to the latest version as soon as possible Sources : http://blog.sucuri.net/2013/04/upda...e-code-execution-vulnerability-disclosed.html http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/ http://blog.futtta.be/2013/04/18/wp-caching-plugin-vulnerability-debrief/
But seems current version of W3TC is still vulnerable. http://wordpress.org/support/topic/mfunc-still-not-working