Headline
CVE-2021-24209: Changeset 2496238 for wp-super-cache – WordPress Plugin Repository
The WP Super Cache WordPress plugin before 1.7.2 was affected by an authenticated (admin+) RCE in the settings page due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for a web shell injection.
Timestamp:
03/15/2021 06:14:53 PM (2 years ago)
donncha
Message:
Merge with GH at https://github.com/Automattic/wp-super-cache/tree/a7fb9dce9841b7094099002f71a45948fb909dfd
Location:
wp-super-cache/trunk
Files:
- readme.txt (3 diffs)
- wp-cache.php (3 diffs)
Legend:
Unmodified
Added
Removed
wp-super-cache/trunk/readme.txt
r2435207
r2496238
2
2
\* Contributors: donncha, automattic
3
3
\* Tags: performance, caching, wp-cache, wp-super-cache, cache
4
\* Tested up to: 5.6
5
\* Stable tag: 1.7.1
4
\* Tested up to: 5.7
5
\* Stable tag: 1.7.2
6
6
\* Requires at least: 3.1
7
7
\* Requires PHP: 5.2.4
…
…
269
269
270
270
\## Changelog ##
271
272
\### 1.7.2 ###
273
\* Fixed authenticated RCE in the settings page. Props @m0ze
274
\* Small bug fixes.
271
275
272
276
\### 1.7.1 ###
…
…
754
758
755
759
\## Upgrade Notice ##
756
Bugfix release.
760
Security and bugfix release. You are encouraged to upgrade as soon as possible.
wp-super-cache/trunk/wp-cache.php
r2350920
r2496238
4
4
Plugin URI: https://wordpress.org/plugins/wp-super-cache/
5
5
Description: Very fast caching plugin for WordPress.
6
Version: 1.7.1
6
Version: 1.7.2
7
7
Author: Automattic
8
8
Author URI: https://automattic.com/
…
…
587
587
if( isset( $\_POST\[ 'wp\_cache\_location' \] ) && $\_POST\[ 'wp\_cache\_location' \] != '' ) {
588
588
$dir = realpath( trailingslashit( dirname( $\_POST\[ 'wp\_cache\_location' \] ) ) );
589
if ( $dir == false )
589
if ( $dir ==\= realpath( '.' ) || false === $dir ) {
590
590
$dir = WP\_CONTENT\_DIR . '/cache/';
591
else
591
} else {
592
592
$dir = trailingslashit( $dir ) . trailingslashit(wpsc\_deep\_replace( array( '..', '\\\\' ), basename( $\_POST\[ 'wp\_cache\_location' \] ) ) );
593
}
593
594
$new\_cache\_path = $dir;
594
595
} else {
…
…
599
600
rename( $cache\_path, $new\_cache\_path );
600
601
$cache\_path = $new\_cache\_path;
601
wp\_cache\_replace\_line('^ \*\\$cache\_path', "\\$cache\_path = '" . $cache\_path . "';", $wp\_cache\_config\_file);
602
wp\_cache\_replace\_line('^ \*\\$cache\_path', "\\$cache\_path = " . var\_export( $cache\_path, true ) . ";", $wp\_cache\_config\_file);
602
603
}
603
604
Note: See TracChangeset for help on using the changeset viewer.