NEWS

WP Super Cache Vulnerability Affects Over 2 Million Sites

Published

1 year ago

March 16, 2021

WP Super Cache Vulnerability Affects Over 2 Million Sites

A vulnerability was discovered in WP Super Cache by Automattic. It’s a low severity vulnerability that could allow a hacker to upload and execute malicious code, usually with the intent to gain control of the site.

Remote Code Execution Vulnerability (RCE)

A flaw was disclosed today that exposes users of WP Super Cache to an authenticated remote code execution (RCE) vulnerability.

Remote code Execution is an exploit that allows an attacker to take advantage of a flaw that can let them upload and run malicious code.

The usual intent is to upload and execute PHP code that then allows them to do things like install backdoors, access and make changes to the database and attain administrator level control of the site.

Once an attacker has administrator level control the site is effectively under their control.

According to the glossary published on Wordfence.com, this is the definition of a Remote Code Execution

“Remote Code Execution (RCE) occurs when an attacker is able to upload code to your website and execute it.
A bug in a PHP application may accept user input and evaluate it as PHP code. This could, for example, allow an attacker to tell the website to create a new file containing code that grants the attacker full access to your website.
When an attacker sends code to your web application and it is executed, granting the attacker access, they have exploited an RCE vulnerability. This is a very serious vulnerability because it is usually easy to exploit and grants full access to an attacker immediately after being exploited.”

Authenticated Remote Code Execution Vulnerability

WP Super Cache contains a variation of the RCE exploit called the Authenticated Remote Code Execution.

An authenticated Remote Code Execution vulnerability is an attack in which the attacker must first be registered with the site.

What level of registration is needed depends on the exact vulnerability and can vary.

Sometimes it needs to be a registered user with editing privileges. In the worst case scenario all the attacker needs is the lowest registration level such as a subscriber level.

No details have been published as to which kind of authentication is needed for the exploit.

This is the additional detail that was revealed:

“Authenticated Remote Code Execution (RCE) vulnerability (settings page) discovered…”

Patch Has Been Issued Update Immediately

Automattic, the developer of WP Super Cache has updated the software. Publishers who use the plugin are urged to consider upgrading to the latest version, 1.7.2.

Every software publisher publishes a changelog that tells the users what is in an update so they know why the software is being updated.

According to the changelog for WP Super Cache Version 1.7.2:

“Fixed authenticated RCE in the settings page.”

According to Oliver Sild, CEO & Founder of website security company Patchstack (@patchstackapp):

“The fixed issue is of low severity… But it’s still advised to update the plugin ASAP though.”

Citations

Patchstack Report: WordPress WP Super Cache Plugin <= 1.7.1 – Authenticated Remote Code Execution (RCE) Vulnerability

WP Super Cache Changelog

Searchenginejournal.com

NEWS

Google December Product Reviews Update Affects More Than English Language Sites? via @sejournal, @martinibuster

Published

5 months ago

December 28, 2021

Roger Montti

Google’s Product Reviews update was announced to be rolling out to the English language. No mention was made as to if or when it would roll out to other languages. Mueller answered a question as to whether it is rolling out to other languages.

Google December 2021 Product Reviews Update

On December 1, 2021, Google announced on Twitter that a Product Review update would be rolling out that would focus on English language web pages.

Our December 2021 product reviews update is now rolling out for English-language pages. It will take about three weeks to complete. We have also extended our advice for product review creators: https://t.co/N4rjJWoaqE
— Google Search Central (@googlesearchc) December 1, 2021

The focus of the update was for improving the quality of reviews shown in Google search, specifically targeting review sites.

A Googler tweeted a description of the kinds of sites that would be targeted for demotion in the search rankings:

“Mainly relevant to sites that post articles reviewing products.
Think of sites like “best TVs under $200″.com.
Goal is to improve the quality and usefulness of reviews we show users.”

Continue Reading Below

Google also published a blog post with more guidance on the product review update that introduced two new best practices that Google’s algorithm would be looking for.

The first best practice was a requirement of evidence that a product was actually handled and reviewed.

The second best practice was to provide links to more than one place that a user could purchase the product.

The Twitter announcement stated that it was rolling out to English language websites. The blog post did not mention what languages it was rolling out to nor did the blog post specify that the product review update was limited to the English language.

Google’s Mueller Thinking About Product Reviews Update

Product Review Update Targets More Languages?

The person asking the question was rightly under the impression that the product review update only affected English language search results.

Continue Reading Below

But he asserted that he was seeing search volatility in the German language that appears to be related to Google’s December 2021 Product Review Update.

This is his question:

“I was seeing some movements in German search as well.
So I was wondering if there could also be an effect on websites in other languages by this product reviews update… because we had lots of movement and volatility in the last weeks.
…My question is, is it possible that the product reviews update affects other sites as well?”

John Mueller answered:

“I don’t know… like other languages?
My assumption was this was global and and across all languages.
But I don’t know what we announced in the blog post specifically.
Advertisement

But usually we try to push the engineering team to make a decision on that so that we can document it properly in the blog post.
I don’t know if that happened with the product reviews update. I don’t recall the complete blog post.
But it’s… from my point of view it seems like something that we could be doing in multiple languages and wouldn’t be tied to English.
And even if it were English initially, it feels like something that is relevant across the board, and we should try to find ways to roll that out to other languages over time as well.
So I’m not particularly surprised that you see changes in Germany.
But I also don’t know what we actually announced with regards to the locations and languages that are involved.”

Does Product Reviews Update Affect More Languages?

While the tweeted announcement specified that the product reviews update was limited to the English language the official blog post did not mention any such limitations.

Google’s John Mueller offered his opinion that the product reviews update is something that Google could do in multiple languages.

One must wonder if the tweet was meant to communicate that the update was rolling out first in English and subsequently to other languages.

It’s unclear if the product reviews update was rolled out globally to more languages. Hopefully Google will clarify this soon.