A vulnerability was discovered in WP Super Cache by Automattic. It’s a low severity vulnerability that could allow a hacker to upload and execute malicious code, usually with the intent to gain control of the site.
Remote Code Execution Vulnerability (RCE)
A flaw was disclosed today that exposes users of WP Super Cache to an authenticated remote code execution (RCE) vulnerability.
Remote code execution is an exploit that allows an attacker to take advantage of a flaw that can let them upload and run malicious code.
The usual intent is to upload and execute PHP code that then allows them to do things like install backdoors, access and make changes to the database, and attain administrator-level control of the site.
Once an attacker has administrator-level control, the site is effectively under their control.
According to the glossary published by Wordfence, this is the definition of a Remote Code Execution:
“Remote Code Execution (RCE) occurs when an attacker is able to upload code to your website and execute it.
A bug in a PHP application may accept user input and evaluate it as PHP code. This could, for example, allow an attacker to tell the website to create a new file containing code that grants the attacker full access to your website.
When an attacker sends code to your web application and it is executed, granting the attacker access, they have exploited an RCE vulnerability. This is a very serious vulnerability because it is usually easy to exploit and grants full access to an attacker immediately after being exploited.”
Authenticated Remote Code Execution Vulnerability
WP Super Cache contains a variation of the RCE exploit called the Authenticated Remote Code Execution.
An authenticated remote code execution vulnerability is an attack in which the attacker must first be registered with the site.
What level of registration is needed depends on the exact vulnerability and can vary.
Sometimes it needs to be a registered user with editing privileges. In the worst-case scenario, all the attacker needs is the lowest registration level such as a subscriber level.
No details have been published as to which kind of authentication is needed for the exploit.
This is the additional detail that was revealed:
“Authenticated Remote Code Execution (RCE) vulnerability (settings page) discovered…”
Patch Has Been Issued – Update Immediately
Automattic, the developer of WP Super Cache, has updated the software. Publishers who use the plugin are urged to consider upgrading to the latest version, 1.7.2.
Every software publisher releases a changelog that informs the users about updates and the reasons behind those updates.
According to the changelog for WP Super Cache Version 1.7.2:
“Fixed authenticated RCE in the settings page.”
Citations
- CVE-2021-24209 Mitre Corporation, Sponsored by U.S. Department of Homeland Security
- Patchstack Report: WordPress WP Super Cache Plugin <= 1.7.1 – Authenticated Remote Code Execution (RCE) Vulnerability
- WP Super Cache Changelog