W3 Total Cache (W3TC) is a famous caching plugin, created by Frederick Townes in 2009. W3TC is known by everyone in the WordPress community and it’s a recommended plugin, it’s always in the top 5 caching plugins.
This widely used plugin has recently been reported for having serious vulnerabilities and security issues. As you browse all the change logs, you can see how many security issues have been fixed during the last years.
What made this topic hot in the past couple of days is the discovery that W3TC is vulnerable to a high-risk rated flaw — XSS.
XSS stands for Cross-site Scripting. It refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would exploit vulnerability within a website or web application that the victim would visit, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser.
W3TC has been reported vulnerable and its Dread score at WP Media has been rated on 5/10 points.
Some other W3T issues have also been discussed in the blogging world fairly often since last year, including issues with the W3 Edge, or the company itself. Disgruntled customers who purchased services from W3 Edge described their negative experience in a post on the WordPress subreddit. The complaints included the lack of communication, not receiving purchased services, and project delays.
In an interview for WPTavern from March this year, Frederick Townes said W3 Total Cache said there was ongoing work on resolving the issues:
Since the last update, development and other operations have been ongoing. There have been several hundred bug fixes based on user feedback, more than 100 improvements and numerous major improvements. We’ve added tens of thousands of unit tests for the various bugs and improvements in an attempt to allow us to release more updates faster in the future.
However, not many improvements have happened ever since. The author promised to update the plugin soon, but waiting for this update, all people using W3TC became the target of XSS attacks.
How to avoid to be a target? The simplest way is to always disconnect your admin account, just use an author or editor one. You can also choose another solution to improve the speed of your website.
We recommend you a plugin updated often, with a good and quick support. Free or premium, just remember that trying to avoid spending $40 for a plugin that will cost you more because of the vulnerabilities, the lack of support or updates is not a so good idea finally
Specialists keep discovering new vulnerabilities. About most recent ones, you can read here.