W3 Total Cache <= – Authenticated Arbitrary File Download

When you're creating a support ticket in the plugin page, you can add one or more of your your template themes.

Then this file will be send to the author to help him resolving the issue.

Now you select one, you send the form and same as for the files before, you will send it to the author to help him to fix the issue.

How does it work:
         * Attach templates
        foreach ($templates as $template) {
            if (!empty($template)) {
                $attachments[] = $template;
        foreach ($attachments as $attachment) {
            if (is_network_admin())
                update_site_option('attachment_' . md5($attachment), $attachment);
                update_option('attachment_' . md5($attachment), $attachment);
         * Remove temporary files
        foreach ($attachments as $attachment) {
// ...
            if (is_network_admin())
                delete_site_option('attachment_' . md5($attachment));
                delete_option('attachment_' . md5($attachment));
$attachment_location = filter_var(urldecode($_REQUEST['file']), FILTER_SANITIZE_STRING);
$md5 = md5($attachment_location);
$nonce = $_REQUEST['nonce'];
$stored_nonce = get_site_option('w3tc_support_request') ? get_site_option('w3tc_support_request') : get_option('w3tc_support_request');
$stored_attachment = get_site_option('w3tc_support_request') ? get_site_option('attachment_' . $md5) : get_option('attachment_' . $md5);

if (file_exists($attachment_location) && $nonce == $stored_nonce && !empty($stored_nonce) && $stored_attachment == $attachment_location) {

First, our choices are added to the attachments array, second an option is added, this will be used to be sure that this file was chosen from this support form, then this options are deleted when the submission is done.

Between the option creation and delete that the files.php is called to get the attachment, verified with a nonce and with the created option.

The vulnerability stays in the fact that we can modify – using firebug for example – the templates name to another existing file from the site, like wp-config.php.

So now, an option has been created with this fake theme template. Then using the same type juggling flaw as before, I can validate the nonce because of the ==.

You also have to add a 20 Mb file to gain time to exploit this.

Pointing on the files.php URL like that can help me to download the wp-config.php, because for the same reason as before, an administrator is not always allowed to read the config file, he's not the webmaster but a WordPress administrator, so this represent a vulnerability.

Proof of Concept

Affects Plugin

fixed in version 0.9.5


URL https://secupress.me/blog/4-new-security-flaws-w3-total-cache-0-9-4-1/


OWASP Top 10 A8: Cross-Site Request Forgery (CSRF)


Submitter SecuPress
Submitter Website https://secupress.me
Submitter Twitter secupress
Views 4620
Verified No


Publicly Published 2016-09-26 (over 2 years ago)
Added 2016-09-26 (over 2 years ago)
Last Updated 2018-01-02 (over 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.