Support » Plugin: W3 Total Cache » v0.9.5 Requires PHP5.3+, Fix Errors/Whitescreen, XSS Exploit Not High RIsk

  • Just a quick note to everyone having issues, I manage tons of client sites, here’s the gist of the issues:

    Be aware that v0.9.5 currently now REQUIRES PHP v5.3 or greater… it will cause a white screen if your site is still using PHP v5.2 (or lower, I hope not). While v5.2 is OLD and you SHOULD update, requiring 5.3+ is pretty harsh for many people and many sites that have not been touched in months/years and work just fine, until now. Not nice. But, we’re here now, so:

    If your site is white-screened, there are two ways to fix it. First, ensure your site is configured to run using PHP v5.3+ through your hosting CP or Support, should be easy and quick, problem solved I hope.

    Recommended: edit your site’s root wp-config.php file, scroll to the bottom and change WP-DEBUG from false to true and save it – it will output actual Fatal PHP errors instead of a White Screen, very helpful when asking for support or trying to troubleshoot.

    If you can’t easily change PHP versions, then you have to use FTP or a web File Manager to rename the /wp-content/plugins/w3-total-cache/ folder to /wp-content/plugins/w3-total-cache-new or whatever you like, which will deactivate it, or just delete it (if you delete it, other plugins may need it and also error, rename those too maybe). Then try logging into /wp-admin/ again, it should let you log in now.

    You can revert to the older version https://downloads.wordpress.org/plugin/w3-total-cache.0.9.4.1.zip OR use the GitHub open source forked version that fixes mostly this issue, and isn’t rewritten to require PHP 5.3+:
    https://github.com/szepeviktor/fix-w3tc/archive/master.zip

    I did have a few sites where I was running PHP v5.3+ and the front-end was working, but required a WP DB update on the back-end so still gave errors… I renamed the /wp-content/plugins/w3-total-cache folder, did the update and logged in, then renamed the folder back, and reactivated the plugin, it is all working fine now.

    ALSO be aware that the XSS Vulnerability isn’t so “High Risk”, as “in order to exploit the vulnerability, an administrator or user with sufficient permissions must have an active session.” So if anyone is an Admin, they’d have to click a link that has the necessary payload to do something bad. Non-logged-in users, logged-in subscribers, the public, etc do not have permissions to access the link that will cause that XSS exploit to happen, so it’s a very low risk exploit.

    However, v0.9.5 DOES include dozens of OTHER bug fixes as well, so it’s best to ensure you’re running PHP v5.3+ first, and then update.

    Hope this helps someone.

    Rob
    PressWizards.com

Viewing 3 replies - 1 through 3 (of 3 total)
  • Hello Rob, you can’t just say “it’s a very low risk” just because of the user range.

    Can you give us your full scoring for this vuln?

    Thank you

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Can you give us your full scoring for this vuln?

    Not here, no. But please do contact plugins@wordpress.org with the criticality. These forums are not for security exploit conversations. If there’s something that users should be aware of because of BSOD then that’s cool. Discussing how a plugin can be exploited? Not so much.

    *Drinks coffee*

    @presswizards This is a great post but please work with either the plugin author for a statement coming from them or as I’ve asked contact the plugins team.

    Regarding the XSS exploit, that’s just my personal opinion since it requires admin permissions to be exploitable, but in no way is meant to speak for the author or the plugins team. It’s just to alleviate some fear for non-technical users that rush to update because of it, and break their site – there’s no urgent need to update the plugin IMHO.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘v0.9.5 Requires PHP5.3+, Fix Errors/Whitescreen, XSS Exploit Not High RIsk’ is closed to new replies.