Detects publicly accessible W3 Total Cache database cache files in the wp-content/w3tc/dbcache/ directory. When database caching to disk is enabled, these files contain raw SQL query results, potentially exposing sensitive data such as user details, password hashes, emails, or other database content if the directory is not properly protected.
PoC代码[已公开]
id: wp-w3-total-cache-exposure
info:
name: WordPress W3 Total Cache - Cache Files Exposure
author: pussycat0x
severity: high
description: |
Detects publicly accessible W3 Total Cache database cache files in the wp-content/w3tc/dbcache/ directory. When database caching to disk is enabled, these files contain raw SQL query results, potentially exposing sensitive data such as user details, password hashes, emails, or other database content if the directory is not properly protected.
reference:
- https://www.acunetix.com/vulnerabilities/web/wordpress-w3-total-cache-plugin-predictable-cache-filenames/
- https://www.openwall.com/lists/oss-security/2012/12/30/3 (CVE-2012-6077 related discussion)
- https://siteground.com/blog/w3-total-cache-vulnerability/
metadata:
verified: true
max-request: 1
fofa-query: body="/wp-content/w3tc/dbcache/"
tags: wordpress,wp-plugin,w3-total-cache,exposure,cache,misconfig
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/w3tc/dbcache/"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "wp-content/w3tc/dbcache", "Index of","Parent Directory")'
condition: and
# digest: 4b0a00483046022100f2ecb6ea22c9e2b0f200120ec2a8658d3ec65869076f6551a955ea151b9f2558022100b2f01dc82cd2be5778a2645490728c79ff007078ab037b8d398b3c7fb580ea1e:922c64590222798bb761d5b6d8e72950