W3 Total Cache <= – Authenticated Arbitrary File Download

Sign up to our free email alerts service for instant vulnerability notifications!

When you're creating a support ticket in the plugin page, you can add one or more of your your template themes.

Then this file will be send to the author to help him resolving the issue.

Now you select one, you send the form and same as for the files before, you will send it to the author to help him to fix the issue.

How does it work:
         * Attach templates
        foreach ($templates as $template) {
            if (!empty($template)) {
                $attachments[] = $template;
        foreach ($attachments as $attachment) {
            if (is_network_admin())
                update_site_option('attachment_' . md5($attachment), $attachment);
                update_option('attachment_' . md5($attachment), $attachment);
         * Remove temporary files
        foreach ($attachments as $attachment) {
// ...
            if (is_network_admin())
                delete_site_option('attachment_' . md5($attachment));
                delete_option('attachment_' . md5($attachment));
$attachment_location = filter_var(urldecode($_REQUEST['file']), FILTER_SANITIZE_STRING);
$md5 = md5($attachment_location);
$nonce = $_REQUEST['nonce'];
$stored_nonce = get_site_option('w3tc_support_request') ? get_site_option('w3tc_support_request') : get_option('w3tc_support_request');
$stored_attachment = get_site_option('w3tc_support_request') ? get_site_option('attachment_' . $md5) : get_option('attachment_' . $md5);

if (file_exists($attachment_location) && $nonce == $stored_nonce && !empty($stored_nonce) && $stored_attachment == $attachment_location) {

First, our choices are added to the attachments array, second an option is added, this will be used to be sure that this file was chosen from this support form, then this options are deleted when the submission is done.

Between the option creation and delete that the files.php is called to get the attachment, verified with a nonce and with the created option.

The vulnerability stays in the fact that we can modify – using firebug for example – the templates name to another existing file from the site, like wp-config.php.

So now, an option has been created with this fake theme template. Then using the same type juggling flaw as before, I can validate the nonce because of the ==.

You also have to add a 20 Mb file to gain time to exploit this.

Pointing on the files.php URL like that can help me to download the wp-config.php, because for the same reason as before, an administrator is not always allowed to read the config file, he's not the webmaster but a WordPress administrator, so this represent a vulnerability.

Proof of Concept


Plugin w3-total-cache
fixed in version 0.9.5


URL https://secupress.me/4-new-security-flaws-w3-total-cache-0-9-4-1/


OWASP Top 10 A8: Cross-Site Request Forgery (CSRF)


Submitter SecuPress
Submitter Website https://secupress.me
Submitter Twitter secupress
Views 352
Verified No


Publicly Published 2016-09-26 (26 days ago)
Added 2016-09-26 (25 days ago)
Last Updated 2016-09-27 (25 days ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.