W3 Total Cache <= – Authenticated Arbitrary File Upload

When you're creating a support ticket in the plugin page, you can add one or more of your files from your computer.

Then this file will be send to the author to help him resolving the issue.

When we look at the code, W3TC is doing that:
         * Attach other files
        if (!empty($_FILES['files'])) {
            $files = (array)$_FILES['files'];
            for ($i = 0, $l = count($files); $i < $l; $i++) {
                if (isset($files['tmp_name'][$i]) && isset($files['name'][$i]) && isset($files['error'][$i]) && $files['error'][$i] == UPLOAD_ERR_OK) {
                    $path = W3TC_CACHE_TMP_DIR . '/' . $files['name'][$i];
                    if (@move_uploaded_file($files['tmp_name'][$i], $path)) {
                        $attachments[] = $path;
         * Remove temporary files
        foreach ($attachments as $attachment) {
            if (strstr($attachment, W3TC_CACHE_TMP_DIR) !== false) {

Ok, so, when you submit the form as an administrator, W3TC uploads our file in its temporary folder /wp-content/cache/tmp/ then will delete them right after that, the file will live only a few milliseconds.

But what if I try to send 2 files, the first one is a 2 Kb malicious PHP file containing a backdoor, the second one is a 20 Mb file. The submission will last more longer, the first file won't be deleted since the second one is not uploaded, I can now access to the first file.

An administrator is not always allowed to execute custom PHP code, he's not the webmaster but a WordPress administrator, so this represent a vulnerability.

Affects Plugin

fixed in version 0.9.5


URL https://secupress.me/blog/4-new-security-flaws-w3-total-cache-0-9-4-1/




Submitter SecuPress
Submitter Website https://secupress.me
Submitter Twitter secupress
Views 4321
Verified No


Publicly Published 2016-09-26 (over 2 years ago)
Added 2016-09-26 (over 2 years ago)
Last Updated 2018-01-02 (over 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.