W3 Total Cache <= – Authenticated Arbitrary PHP Code Execution

Sign up to our free email alerts service for instant vulnerability notifications!

This one is so mush easy to exploit using the import settings feature, this is what W3TC will do one your file is uploaded:
     * Imports config content
     * @param string $filename
     * @return boolean
    function import($filename) {
        if (file_exists($filename) && is_readable($filename)) {
            $data = file_get_contents($filename);
            if (substr($data, 0, 5) == '<?php')
                $data = substr($data, 5);

            $config = eval($data);

            if (is_array($config)) {
                foreach ($config as $key => $value)
                  $this->set($key, $value);

                return true;

        return false;
The bad line is $config = eval($data); because it means that all my file content will be evaluated like any other PHP code. Basically we can send a PHP script that will create a backdoor.

Affects Plugin

fixed in version 0.9.5


URL https://secupress.me/blog/4-new-security-flaws-w3-total-cache-0-9-4-1/


Type RCE
OWASP Top 10 A1: Injection


Submitter SecuPress
Submitter Website https://secupress.me
Submitter Twitter secupress
Views 1485
Verified No


Publicly Published 2016-09-26 (almost 2 years ago)
Added 2016-09-26 (almost 2 years ago)
Last Updated 2018-01-02 (8 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.