Security researcher Jason A. Donenfeld has revealed a security hole in a popular WordPress plugin that could be used to obtain sensitive data from an affected site. The flaw was discovered in W3 Total Cache, which has been downloaded over a million times and is used by high traffic sites including Mashable and LockerGnome.
The plugin is designed to speed up sites that use the WordPress content management system by up to 10 times through "caching every aspect" of the site. According to Donenfeld, when the plugin is installed with a default setup (i.e. users just simply choose "add plugin"), the add-on leaves the cache directory listings enabled.
With that enabled, Donenfeld says anyone could easily download all of the database cache keys and extract those containing sensitive data. Even if that weren't the case, he notes that the cache data is still publicly accessible by default so an attacker could view and download database information such as password hashes (simply search Google for "inurl:wp-content/w3tc" and you'll see the directory he's talking about).
Donenfeld has published a simple shell script that can identify and exploit the vulnerability. He stressed that the holes are caused by a configuration that shouldn't be present in the default software, and the developer of W3 Total Cache is expected to release a fix soon, though we haven't seen an estimated release date. For now, sites using the plugin should disable their database cache or create a .htaccess file in wp-content/w3tc.