cbcvebase.
CVE-2019-6715
published 2019-04-01

CVE-2019-6715: pub/sns.php in the W3 Total Cache plugin before 0.9.4 for WordPress allows remote attackers to read arbitrary files via the SubscribeURL field in…

PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
19.40%
97.0th percentile
pub/sns.php in the W3 Total Cache plugin before 0.9.4 for WordPress allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data.

Affected

1 ranges
VendorProductVersion rangeFixed in
boldgridw3_total_cache< 0.9.40.9.4

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/w3-total-cache/pub/sns.php
commandPUT /wp-content/plugins/w3-total-cache/pub/sns.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded {"Type":"SubscriptionConfirmation","Message":"","SubscribeURL":"https://rfi.nessus.org/rfi.txt"}
urlhttps://rfi.nessus.org/rfi.txt
  • Look for HTTP PUT requests targeting the path /wp-content/plugins/w3-total-cache/pub/sns.php with a JSON body containing 'Type':'SubscriptionConfirmation' and a 'SubscribeURL' field using the file:// scheme (directory traversal) or external URLs (SSRF).
  • Detect the JSON payload structure: Type=SubscriptionConfirmation with a SubscribeURL value using file:// protocol, indicating local file read attempts via directory traversal (e.g., file:///../../etc/passwd).
  • Alert on HTTP PUT method to sns.php in the w3-total-cache plugin directory; this endpoint should not normally receive PUT requests from unauthenticated external sources.
  • Match response body for the base64 string 'TmVzc3VzQ29kZUV4ZWNUZXN0' as a detection indicator for successful SSRF/file-read exploitation in nuclei template.
  • ·The Metasploit module's DEPTH parameter controls the number of '../' traversal sequences prepended to the target file path. Default depth is 2; operators should tune this based on the WordPress installation depth relative to the web root.
  • ·Affected versions are W3 Total Cache 0.9.2.6 through 0.9.3 only; version 0.9.4 and above are patched. Verify plugin version via readme before triggering the exploit module.
  • ·The vulnerability is exploitable with web server privileges only; files readable by the web server process are accessible, not necessarily all system files.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.