It has been a few weeks since we have seen an exploit in a WordPress plugin popular in the SEO community, but a new one has been discovered and fixed, this time in a popular caching plugin with over 1 million active installs.

The plugin in question is WP Super Cache, “A very fast caching engine for WordPress that produces static html files.”  It appears to be the most popular cache plugin offered on WordPress.org, so the potential for the number of websites that aren’t on top of updating plugins is pretty high.

If you are using WP Super Cache, you should upgrade immediately and ensure you are running version 1.4.4, which was quietly updated several days ago.  If you allow automatic plugin updates, you should double check it was updated properly and if you do manual plugin updates, you should update this immediately.

WP Super Cache is one of the popular WordPress cache plugins designed to improve website performance, with one of the features being reducing site speed, which many webmasters have been utilizing even more recently due to the upcoming mobile signal change.  Ironically, it was also the plugin featured in an example for the article on Google now including dates in answer boxes published earlier this week.

Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually.

When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.

It doesn’t appear that this has been actively used to inject malicious code into any sites using the plugin, however now that it is publicized with a fix released, you can expect that hackers will begin to inject links, new admin users and malware.  So it is very important that webmasters update this plugin as soon as possible before an injection occurs.

The Securi Blog has the full technical details about this XSS exploit.

This is the latest in a string of plugins popular with the SEO community to have a discovered exploit patched.  Google Analytics by Yoast, WordPress SEO by Yoast, Shareaholic, RevSlider and Fancybox-for-Wordpress have all recently fixed exploits, so you should also double check you are running the latest versions of these plugins as well.  It is always good to update all plugins when updates are available, because while many assume new releases are merely feature improvements, they oftentimes include exploit fixes that aren’t announced.