Vulnerable W3 Total Cache plugin version in use on nextcloud.com
Discovered by francescocar on Nextcloud

This issue took 3 Days and 4 hours to triage and 21 Days and 2 hours to resolve once triaged.



Hi there,

I noticed you are currently using a vulnerable version of W3 Total Cache, as the changelog containing the plugin version is publicly reachable: https://nextcloud.com/wp-content/plugins/w3-total-cache/changelog.txt

W3 Total Cache makes the site vulnerable to a series of attacks, including XSS, CSRF and SSRF.

Some references:

https://wpvulndb.com/vulnerabilities/8629 https://wpvulndb.com/vulnerabilities/9269 https://secupress.me/blog/4-new-security-flaws-w3-total-cache-0-9-4-1/

Mitigation

Update the plugin to the last version (or manually patch the vulnerabilities).

On a separate note, I saw this domain is not eligible for bounty :) But wanted to bring this to your attention the same, being WordPress a common target.

Furthermore, this specific vulnerability could lead to a full website defacement: https://blog.mazinahmed.net/2014/12/w3-total-caches-w3totalfail.html

Best Regards, Francesco

Impact

Being the vulnerabilities easy to detect with an external scan, hackers could take advantage of, and use the website to run various malicious activities.