[CLOUDFLARE] New Wordpress Vulnerability - protect your customers

[easyhostmedia]

Hi

Just got this email from Cloudflare.

CloudFlare Partners:


There is a new serious WordPress vulnerability in certain versions of two popular WordPress caching plugins, W3TC and WP Super Cache. The vulnerability allows remote PHP code to be executed locally on a server for anyone running either of the plugins. An attacker could then execute code on the infected server.


CloudFlare has applied a rule to our network which automatically rotects all CloudFlare customers, including those on free plans. Details about the vulnerability are available at:


http://blog.cloudflare.com/w3tc-and-wp-super-cache-vulnerability-discove-17794

We strongly recommend advising your customers to upgrade their WP plugins immediately. As a precaution, consider enabling CloudFlare Free for any customer using WordPress, even if temporarily. We have an automated way for you to do so. Email partners@cloudflare.com if you are considering this option and we will guide you through the process.

Let me know if you have any questions,
Maria

Maria Karaivanova
Strategic Partnerships
CloudFlare maria@cloudflare.com

Twitter @mariakar | @cloudflare

 

[1paket.com]

So what's your question?

 

[easyhostmedia]

So what's your question?

Its not a question.

Its another warning of yet another WP Vulnerability.

if you have not noticed WP has been attacked many times recently see http://www.hostingdiscussion.com/we...-wordpress-brute-force-attack.html#post165819 and http://www.hostingdiscussion.com/we...secure-your-wordpress-website.html#post165901

 

[bunnykins]

Wow second one in a very short time. Good thing I don't use wordpress.

 

[Alex - A2 Hosting]

Thats a good thing of CloudFlare to offer such a service, then again its also a good way for them to get some new websites powered by CloudFlare .

 

[easyhostmedia]

then again its also a good way for them to get some new websites powered by CloudFlare .

If that was the case then they would not just target WP sites.

 

[bunnykins]

I had to turn off cloudflare because it was causing issues with the arcade I run.

 

[GCSolutions]

With a combined download of over 5 million. Of course not knowing how many sites are still active. That would stiill leave a mass amount of websites opened up for possiable infection.

 

[easyhostmedia]

i would Cloudflare has done the correct thing, they found a further vulnerability in 2 WP plugins and created patches for these, but to use the patches the sites must have CF enabled.

 

[handsonhosting]

Yep, definitely good news for Cloudflare customers.

With regards to W3 Total Cache (which I use on some websites), the 0.9.2.9 version was released on April 17th (8 days ago).

So while there is a vulnerability, and Cloudflare has done a great job to patch the 0.9.2.8 version - anyone who is using it is already using OUTDATED SOFTWARE. Had they updated to the 0.9.2.9 version (as released 8 days ago), then they'd already be patched and not have a problem.

Cloudflare's patch is targeted directly at people who fail to keep their plugins and software updated to the latest releases (and there's a lot of those people too!)

 

[easyhostmedia]

Cloudflare's patch is targeted directly at people who fail to keep their plugins and software updated to the latest releases (and there's a lot of those people too!)

thats true, i am sick of the monthly reminders of updated scripts, i think some people have the mentality 'if it aint broken then no need to fix'