First, if you are using rtCamp’s WordPress-Nginx Managed Hosting, then you do not need to panic.

We don’t use WP Super Cache on any production site. On few sites, where we are using W3 Total Cache, we have updated the plugin last week only when update was released.

Now, both WP Super Cache and W3 Total Cache plugins have fixed the issue. If you are using these plugins and haven’t updated them recently, rush to your WordPress-Site and update these plugins immediately.

Also, some of our Nginx readers, who use Nginx’s fastcgi_cache for page-caching but W3 Total Cache for its other feature, should also update W3 Total Cache right now.

How can you verify if your site is safe?

Assuming, we have warned you enough and you have upgraded plugin on your site, lets proceed to the actual issue itself.

About a month ago, a user kisscsaby reported in forum about Remote Code Execution vulnerability. He also showed proof of concept. IMHO, it was wrong way to report a serious vulnerability like this. Such issues should be reported to concerned developers over a private communication channel only.

Both these plugins provide a feature using which you can prevent part of pages getting cached. Details about these functions are preset here. Please look for answer to question – “How do I make certain parts of the page stay dynamic?”

The special syntax, these plugins use are actually HTML comments which are ignored by WordPress. But these comments contains PHP codes which gets executed by old version of these plugins.

Test Yourself

Just go to your site, and post following line as a comment:

<!--mfunc echo PHP_VERSION; --><!--/mfunc-->

If page reloads and your comment show up as blank, then you are all safe. But if you see PHP version running on your server, then that means any arbitrary PHP code can be executed on your server via comment-form!

In any case, you should keep all your themes, plugins and WordPress itself updated! 🙂


  1. I am using W3TC plugin, but its updated. When I posted the comment you mentioned in the article, I got the following message:

    “Your action has triggered a security rule and the action was not completed.
    The action was stopped by the CloudFlare security solution because it appears that you are trying to launch an attack.
    You can learn more about the reported attack here.
    If you believe you are receiving this message in error, please contact the CloudFlare Support team.”

    Guess I am all safe! Right?

Comments are closed.