A new security exploit has been identified in a common WordPress plugin, WP Super Cache. This plugin is an open source plugin available to WordPress users. Upgrading to the latest version 1.4.4 from within the WordPress dashboard will address this known bug and resulting vulnerability.
Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually. When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.
Protected by our website firewall
All sites actively managed by Scientifica have addressed the vulnerability. All customers using our website firewall were and will be automatically be protected against this vulnerability.
If you manage your own site, our team is recommending that you address this vulnerability by upgrading your WP Super Cache plugin to latest version 1.4.4.