My friend Alan today advised me of a very serious security issue with W3 Total Cache. It’s one of the most popular WordPress plugins available with close to 1.4 million downloads, so a lot of people are going to be affected by this.
Researched Jason A. Donenfeld warned that:
Many WordPress users that had added the plugin had directories of cached content that could be browsed by anyone with a web browser and knowledge of where to look. The content of those directories could be downloaded, including directories containing sensitive data like password hashes.
W3 Edge, the developers of W3 Total Cache, have advised that they they are planning on fixing this issue very soon. In the mean time, Donenfeld has advised that all W3 Total Cache users to ‘remediate the vulnerability by disabling the “database cache” and “object cache” options and flush any existing caches created with W3 Total Cache’.
If you are using W3 Total Cache, I advise you make the steps noted above immediately. More information about this security issue can be found at the link below.