AHosting, a provider of WordPress web hosting, has advised all users of the popular WP Super Cache plugin to update immediately. A vulnerability in the plugin was recently discovered by Sucuri, a Delaware Corporation. This could allow malicious third parties to inject arbitrary code into a WordPress website to create admin accounts and insert backdoors.
WP Super Cache is a popular solution for WordPress performance optimization. It substantially improves performance by caching pages – essentially turning them into static pages that load more quickly than WordPress’s default dynamically generated pages.
“WP Super Cache is used by over a million WordPress publishers and bloggers, including hundreds that use our web hosting platform,” said Daniel Page, Director of Business Development at AHosting. “We want to ensure that as many WordPress users as possible are informed about the pressing risk the recently discovered XSS vulnerability poses. Users of WP Super Cache should update to version 1.4.4 or later as soon as possible.”
The vulnerability is a result of the way WP Super Cache manages the file it uses to decide which cached files to load. Using a cross-site scripting attack, whereby an authenticated administrator is influenced to load a specifically created web page, attackers may be able to insert arbitrary scripts into this file. Those scripts could be used to carry out any number of actions against a website, essentially leaving it open to takeover by the attacker.
AHosting is a managed web hosting provider with facilities in Orlando, Florida, and Detroit, Michigan.