W3 Total Cache Information Exposure Vulnerability via User-Agent Header

A vulnerability allowing information exposure has been identified in the W3 Total Cache plugin for WordPress, affecting all versions through 2.9.3. The issue arises because the plugin skips its output buffering and processing pipeline when the User-Agent header includes 'W3 Total Cache'. This bypass allows raw dynamic fragment HTML comments, such as the W3TC_DYNAMIC_SECURITY security token, to be exposed in the page source. Unauthenticated attackers can exploit this by sending a modified User-Agent header to pages with dynamic fragment tags, provided fragment caching is enabled on the site.

Impact

Exposing the W3TC_DYNAMIC_SECURITY token in the page source allows attackers to access sensitive information that could be used to bypass security measures or exploit other vulnerabilities.

Reproduction

To reproduce this vulnerability, send a request to a WordPress site with the W3 Total Cache plugin installed. Include a User-Agent header that contains 'W3 Total Cache'. The response will include unprocessed dynamic fragment HTML comments, revealing the W3TC_DYNAMIC_SECURITY token, especially on pages with developer-inserted dynamic fragment tags and fragment caching enabled.

Remediation

Users are advised to update the W3 Total Cache plugin to version 2.9.4 or later.