WP Super Cache Vulnerability Affects Over 2 Million Sites


Authenticated Remote Code Execution Vulnerability has been discovered in WP Super Cache. Automattic discovered Remote Code Execution Vulnerability in WP Super Cache. Basically, this vulnerability is a low severity that allows the hackers to upload and execute malicious code with the intention of site manipulation.

Remote Code Execution Vulnerability (RCE)

Today, a bug was disclosed that uncover the users of WP Super Cache to a verified remote code execution (RCE) vulnerability. 

Actually, RCE is an exploit that allows an attacker to benefit from a flaw to upload and run malicious code. 

Most hackers intend to attain administrator-level control over the site by uploading and executing PHP code and getting access to install backdoors and make changes to the databases. 

According to the glossary published on Wordfence.com, the definition of Remote Code Execution is:

“Remote Code Execution (RCE) occurs when an attacker is able to upload code to your website and execute it.

A bug in a PHP application may accept user input and evaluate it as PHP code. This could, for example, allow an attacker to tell the website to create a new file containing code that grants the attacker full access to your website.

When an attacker sends code to your web application, and it is executed, granting the attacker access, they have exploited an RCE vulnerability. This is a very serious vulnerability because it is usually easy to exploit and grants full access to an attacker immediately after being exploited.

Authenticated Remote Code Execution Vulnerability

WP Super Cache has the variation of the RCE exploit called the Authenticated Remote Code Execution

This vulnerability is an attack in which the attacker must first be registered with the site.

What level of registration is needed depends on the exact vulnerability and can vary?

Sometimes registration with editing privileges is needed, but in some scenarios, all the attackers merely need to be registered as subscribers. 

Besides, no detail has come to light that which kind of authentication is needed for the exploit. 

This is the additional detail that was revealed:

“Authenticated Remote Code Execution (RCE) vulnerability (settings page) discovered…”

Patch Has Been Issued Update Immediately

Automattic, WP Super Cache developers have updated the software. WordPress caching Plugins user publishers urged to consider upgrading to the latest version, 1.7.2.

Many WP Super Cache WordPress Plugin software publishers have published the changelog that tells the users about the WordPress caching plugins with other software updates and why softwares are being updated. 

According to the changelog for WP Super Cache Version 1.7.2:

“Fixed authenticated RCE in the settings page.”

According to Oliver Sild, CEO & Founder of website security company Patchstack (@patchstackapp):

“The fixed issue is of low severity… But it’s still advised to update the plugin ASAP though.”

Also Read

Project Gigabit; First areas to benefit from £5 billion


James Robert is a journalist who covers all the social media and tech-related news for SG-educate, the world's largest multimedia news agency. He reports on tech from all over the world, focusing mostly on social media platforms. He has worked as a digital editor and online coverage of global breaking news on tech and big stories, reaching millions of readers across multiple platforms.

Posts that we highly recommend you to read

Leave a Comment

Start Receiving Our Free Email Alerts

Sign up for our daily newsletter to get the latest industry news.






An Essential Guide for
Higher Ranking.