Vulnerability discovered in WP Super Cache by Automatic, this by the way low vulnerability issue but it could allow a hacker to upload and process the malicious code to database files, with a specific purpose and goals of full control of the website and its data.
Remote Code Execution Vulnerability (RCE)
WP Super Cache Users have been exposed to authenticated remote code execution (RCE) vulnerability after the disclosure of the fault in the plugin. RCE is an exploit that allows the attackers to implement the malicious code into the website files database which benefits the hackers.
The major intention is usual as general is to upload the PHP code which allows them to install and create a backdoor to access the database for making big control changes and execute the administrative control over the website.
To control the website for their benefits they take administrative control for effective changes. According to the Wordfence below is the proper deification of the Remote Code Execution.
“Remote Code Execution (RCE) occurs when an attacker is able to upload code to your website and execute it.
A bug in a PHP application may accept user input and evaluate it as PHP code. This could, for example, allow an attacker to tell the website to create a new file containing code that grants the attacker full access to your website.
When an attacker sends code to your web application and it is executed, granting the attacker access, they have exploited an RCE vulnerability. This is a very serious vulnerability because it is usually easy to exploit and grants full access to an attacker immediately after being exploited.”
Authenticated Remote Code Execution Vulnerability
So there two types of variation of the Remote Code Execution in the WP Super cache Plugin which is called the Authenticated Remote Code Execution.
In Authenticated Remote Code Execution Vulnerability attack is the type where the attacker must the registered within the website. The level of registration that is needed depends on the query of vulnerability and varies with that. All the privileges that are required depending upon the task, even in some of the worst cases the registration level that is required is Subscription. Now what kind of authentication is required for doing such an exploit is not clear.
Patch Released To Update Immediately
The Developer of the WP Super Cache has been updated the software and the Publishers who have the plugins installed with their website are immediately required to update the latest version 1.7.2. Due to the update the developer release the changelog that explains clearly the reason for updating the software.
According to the website security Company Patchstackapp: “The fixed issue is of low severity… But it’s still advised to update the plugin ASAP though.”
- WordPress WP Super Cache plugin <= 1.7.1 – Authenticated Remote Code Execution (RCE) vulnerability
- WP Super Cache Changelog
- Search engine Journal