Here are the versions of each plugin that are vulnerable:
- W3 Total Cache (version 0.9.2.8 and below are vulnerable, version 0.9.2.9 and up are not vulnerable) / upgrade here
- WP Super Cache (version 1.2 and below are vulnerable, version 1.3.x and up are not vulnerable) / upgrade here
If you are running either of these plugins you should upgrade immediately (W3TC Upgrade / WP Super Cache Upgrade). The vulnerability is serious enough that we recommend you disable the plugins until you have completed an upgrade. If you're not already a CloudFlare customer, you can signup for free to get protection immediately.
As LankaHost Bening CloudFlare Partner, you can simply enable CloudFlare protection from you cPanel hitting below button.
Once it enable, CloudFlare will disply below message on such a kind of attacks.
Technical Details
The attack takes advantage of several functions in these plugins including: mfunc, mclude, and dynamic-cached-content. An attacker can execute a PHP command running on the server by pasting a comment to a WordPress blog running a vulnerable version of W3 Total Cache or WP Super Cache. For example, if you are running a vulnerable version of the plugins, the following will result in your current PHP version being printed in the comment:
<!--mfunc echo PHP_VERSION; --><!--/mfunc-->
While this is harmless, the same mfunc call in either plugin can run other arbitrary commands on our server. This could be used to gain access to the server, execute arbitrary database commands, or remotely install malware. Again, this is a very severe vulnerability and all W3TC and W3 Super Cache users should upgrade immediately (W3TC Upgrade / WP Super Cache Upgrade).
If we found any compromised accounts, those accounts will be subjected to immediate suspension. Therefor make sure you upgrade those plugins as well as your WordPress version to the latest immediately.
