W3 Total Cache <= – Authenticated Arbitrary File Download

When you're creating a support ticket in the plugin page, you can add one or more of your your template themes.

Then this file will be send to the author to help him resolving the issue.

Now you select one, you send the form and same as for the files before, you will send it to the author to help him to fix the issue.

How does it work:
         * Attach templates
        foreach ($templates as $template) {
            if (!empty($template)) {
                $attachments[] = $template;
        foreach ($attachments as $attachment) {
            if (is_network_admin())
                update_site_option('attachment_' . md5($attachment), $attachment);
                update_option('attachment_' . md5($attachment), $attachment);
         * Remove temporary files
        foreach ($attachments as $attachment) {
// ...
            if (is_network_admin())
                delete_site_option('attachment_' . md5($attachment));
                delete_option('attachment_' . md5($attachment));
$attachment_location = filter_var(urldecode($_REQUEST['file']), FILTER_SANITIZE_STRING);
$md5 = md5($attachment_location);
$nonce = $_REQUEST['nonce'];
$stored_nonce = get_site_option('w3tc_support_request') ? get_site_option('w3tc_support_request') : get_option('w3tc_support_request');
$stored_attachment = get_site_option('w3tc_support_request') ? get_site_option('attachment_' . $md5) : get_option('attachment_' . $md5);

if (file_exists($attachment_location) && $nonce == $stored_nonce && !empty($stored_nonce) && $stored_attachment == $attachment_location) {

First, our choices are added to the attachments array, second an option is added, this will be used to be sure that this file was chosen from this support form, then this options are deleted when the submission is done.

Between the option creation and delete that the files.php is called to get the attachment, verified with a nonce and with the created option.

The vulnerability stays in the fact that we can modify – using firebug for example – the templates name to another existing file from the site, like wp-config.php.

So now, an option has been created with this fake theme template. Then using the same type juggling flaw as before, I can validate the nonce because of the ==.

You also have to add a 20 Mb file to gain time to exploit this.

Pointing on the files.php URL like that can help me to download the wp-config.php, because for the same reason as before, an administrator is not always allowed to read the config file, he's not the webmaster but a WordPress administrator, so this represent a vulnerability.

Proof of Concept

Affects Plugin

fixed in version 0.9.5


URL https://secupress.me/blog/4-new-security-flaws-w3-total-cache-0-9-4-1/




Submitter SecuPress
Submitter Website https://secupress.me
Submitter Twitter secupress
Views 6114
Verified No


Publicly Published 2016-09-26 (over 3 years ago)
Added 2016-09-26 (over 3 years ago)
Last Updated 2019-11-01 (7 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin